Ang Cui
ABSTRACT
Our global communication infrastructures are powered by large numbers of legacy embedded devices. Recent advances in offensive technologies targeting embedded systems have shown that the stealthy exploitation of high-value embedded devices such as router and firewalls is indeed feasible. However, little to no host-based defensive technology is available to monitor and protect these devices, leaving large numbers of critical devices defenseless against exploitation. We devised a method of augmenting legacy embedded devices, like Cisco routers, with host-based defenses in order to create a stealthy, embedded sensor-grid capable of monitoring and capturing real-world attacks against the devices which constitute the bulk of the Internet substrate. Using a software mechanism which we call the Symbiote, a white-list based code modification detector is automatically injected in situ into Cisco IOS, producing a fully functional router firmware capable of detecting and capturing successful attacks against itself for analysis. Using the Symbiote-protected router as the main component, we designed a sensor system which requires no modification to existing hardware, fully preserves the functionality of the original firmware, and detects unauthorized modification of memory within 450 ms. We believe that it is feasible to use the techniques described in this paper to inject monitoring and defensive capability into existing routers to create an early attack warning system to protect the Internet substrate.
- kaiten.c IRC DDOS Bot. http://packetstormsecurity.nl/irc/kaiten.c.Google Scholar
- Microsoft Corporation, Kernel Patch Protection: Frequently Asked Questions. http://tinyurl.com/y7pss5y, 2006.Google Scholar
- The End of Your Internet: Malware for Home Routers, 2008. http://tinyurl.com/3d9yv9l.Google Scholar
- Network Bluepill. Dronebl.org, 2008. http://www.dronebl.org/blog/8.Google Scholar
- New worm can infect home modem/routers. APCMAG.com, 2009. http://apcmag.com/Content.aspx?id=3687.Google Scholar
- Hoi Chang and Mikhail J. Atallah. Protecting software code by guards. In Tomas Sander, editor, Digital Rights Management Workshop, volume 2320 of Lecture Notes in Computer Science, pages 160--175. Springer, 2001. Google ScholarDigital Library
- Ang Cui, Jatin Kataria, and Salvatore J. Stolfo. Killing the myth of cisco ios diversity: Towards reliable, large-scale exploitation of cisco ios, 2011. 5th USENIX Workshop on Offensive Technologies. Google ScholarDigital Library
- Ang Cui and Salvatore J. Stolfo. A quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan. In Carrie Gates, Michael Franz, and John P. McDermott, editors, ACSAC, pages 97--106. ACM, 2010. Google ScholarDigital Library
- Ang Cui and Savaltore J. Stolfo. Defending legacy embedded devices with software symbiotes. In Robin Sommer, Davide Balzarotti, and Gregor Maier, editors, RAID, volume 6961 of Lecture Notes in Computer Science. Springer, 2011. Google ScholarDigital Library
- Abdallah Ghourabi, Tarek Abbes, and Adel Bouhoula. Honeypot router for routing protocols protection. In Anas Abou El Kalam, Yves Deswarte, and Mahmoud Mostafa, editors, CRiSIS, pages 127--130. IEEE, 2009.Google Scholar
- Christopher Krügel, William K. Robertson, and Giovanni Vigna. Detecting kernel-level rootkits through binary analysis. In ACSAC, pages 91--100. IEEE Computer Society, 2004. Google ScholarDigital Library
- Felix "FX" Linder. Cisco Vulnerabilities. In In BlackHat USA, 2003.Google Scholar
- Felix "FX" Linder. Cisco IOS Router Exploitation. In In BlackHat USA, 2009.Google Scholar
- Richard Lippmann, Engin Kirda, and Ari Trachtenberg, editors. Recent Advances in Intrusion Detection, 11th International Symposium, RAID 2008, Cambridge, MA, USA, September 15--17, 2008. Proceedings, volume 5230 of Lecture Notes in Computer Science. Springer, 2008. Google ScholarDigital Library
- Michael Lynn. Cisco IOS Shellcode, 2005. In BlackHat USA.Google Scholar
- Sebastian Muniz. Killing the myth of Cisco IOS rootkits: DIK, 2008. In EUSecWest.Google Scholar
- Ryan Riley, Xuxian Jiang, and Dongyan Xu. Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In Lippmann et al. {14}, pages 1--20. Google ScholarDigital Library
- Dror-John Roecher and Michael Thumann. NAC Attack. In In BlackHat USA, 2007.Google Scholar
- Skywing. Subverting PatchGuard Version 2, 2008. Uninformed, Volume 6.Google Scholar
- Yingbo Song, Pratap V. Prahbu, and Salvatore J. Stolfo. Smashing the stack with hydra: The many heads of advanced shellcode polymorphism. In Defcon 17, 2009.Google Scholar
- Salvatore J. Stolfo, Issac Greenbaum, and Simha Sethumadhavan. Self-monitoring monitors. Technical Report cucs-026-09, Columbia University Computer Science Department, April 2009.Google Scholar
- Vikas R. Vasisht and Hsien-Hsin S. Lee. Shark: Architectural support for autonomic protection against stealth by rootkit exploits. In MICRO, pages 106--116. IEEE Computer Society, 2008. Google ScholarDigital Library
- Zhi Wang, Xuxian Jiang, Weidong Cui, and Xinyuan Wang. Countering persistent kernel rootkits through systematic hook discovery. In Lippmann et al. {14}, pages 21--38. Google ScholarDigital Library
Index Terms
- From prey to hunter: transforming legacy embedded devices into exploitation sensor grids
Recommendations
Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting
Application-layer tunnels nowadays represent a significant security threat for any network protected by firewalls and Application Layer Gateways. The encapsulation of protocols subject to security policies such as peer-to-peer, e-mail, chat and others ...
CC-Hunter: Uncovering Covert Timing Channels on Shared Processor Hardware
MICRO-47: Proceedings of the 47th Annual IEEE/ACM International Symposium on MicroarchitectureAs we increasingly rely on computers to process and manage our personal data, safeguarding sensitive information from malicious hackers is a fast growing concern. Among many forms of information leakage, covert timing channels operate by establishing an ...
Comments