publications

2023

1. TDSC’23

   Discovery and Identification of Memory Corruption Vulnerabilities on Bare-Metal Embedded Devices

   Majid Salehi, Luca Degani, Marco Roveri, Danny Hughes, and Bruno Crispo

   IEEE Transactions on Dependable and Secure Computing, 2023

   Abs

   Memory corruption vulnerabilities remain a prevalent threat on low-cost bare-metal devices. Fuzzing is a popular technique for automatically discovering such vulnerabilities. However, bare-metal devices lack even basic security mechanisms such as Memory Management Unit. Consequently, fuzzing approaches encounter silent memory corruptions with no visible effects, making even discovery difficult. Once discovered, it is also essential to identify the type of observed vulnerability for applying mitigation. Both discovery and identification remain open challenges in the case of fuzzing firmware binaries. This article addresses these problems by proposing an automated instrumentation technique that allows the observation of memory corruption vulnerabilities that are otherwise not observable and facilitates the automated identification of the observed vulnerability. Additionally, we surveyed state-of-the-art IoT fuzzers and analyzed their experimental methodologies. We found that existing approaches have fundamental problems that lead to incorrect or misleading results. To evaluate the effectiveness of IoT fuzzers, it is essential to determine the range and type of vulnerabilities that these fuzzers can discover. Thus, we propose the first ground-truth benchmark suite for IoT fuzzers that enables accurate and consistent evaluation of their vulnerability-finding performance. Our instrumentation framework’s efficacy and efficiency in combination with state-of-the-art IoT fuzzers are assessed using the proposed benchmark.

2022

1. Comp. Net.’22

   NemesisGuard: Mitigating Interrupt Latency Side Channel Attacks with Static Binary Rewriting

   Majid Salehi, Gilles De Borger, Danny Hughes, and Bruno Crispo

   Computer Networks, 2022

   Abs

   Internet of Things (IoT) is becoming integrated into nearly every aspect of our modern life. Indeed, exploitation of such devices can directly lead to physical consequences in the real world. Previous work has shown that IoT devices can be compromised by exploits in lower software layers such as the Operating System (OS). Embedded Trusted Execution Environments (TEEs) provide a small Trusted Computing Base (TCB) to protect sensitive codes and data in such devices. TEEs assume a strong threat model where even a privileged attacker (e.g. OS) cannot compromise the confidentiality and integrity of the execution. Nevertheless, it has been shown that side channel attacks make it challenging to keep secrets during application execution. Interrupt latency side channel attacks (a.k.a. Nemesis) are a novel type of timing attacks that target embedded TEEs and extract application secrets from them. Nemesis attacks exploit the CPU’s interrupt mechanism to reveal microarchitectural instruction timings from embedded TEEs. Specifically, the attacker measures the latency of a precisely timed interrupt to differentiate between secret-dependent branches. In this paper, we present NemesisGuard, the first mitigation mechanism against such side channel attacks that does not require a modified compiler or hardware and can protect COTS binaries without access to source code. NemesisGuard applies a novel static binary instrumentation technique to balance secret-dependent branches in IoT application binaries. Evaluation of NemesisGuard shows that it mitigates Nemesis side channel attacks effectively and efficiently.

2020

1. RAID’20

   μSBS: Static Binary Sanitization of Bare-metal Embedded Devices for Fault Observability

   Majid Salehi, Danny Hughes, and Bruno Crispo

   In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020), Oct 2020

   Abs

   A large portion of the already deployed Internet of Things (IoT) devices are bare-metal. In a bare-metal device, the firmware executes directly on the hardware with no intermediary OS. While bare-metal devices increase efficiency and flexibility, they are also subject to memory corruption vulnerabilities that are regularly uncovered. Fuzzing is an effective and popular software testing method to discover vulnerabilities. The effectiveness of fuzzing approaches relies on the fact that memory corruption faults, by violating existing security mechanisms such as MMU, are observable, thus relatively easy to debug. Unfortunately, bare-metal devices lack such security mechanisms. Consequently, fuzzing approaches encounter silent memory corruptions with no visible effects making debugging extremely difficult. This paper tackles this problem by proposing \muSBS, a novel approach that, by statically instrumenting the binaries, makes memory corruptions observable. In contrast to prior work, \muSBS does not need to reverse engineer the firmware. The approach is practical as it does not require a modified compiler and can perform policy-based instrumentation of firmware without access to source code. Evaluation of \muSBS shows that it reduces security analyst effort, while discovering the same set of memory error types as prior work.