On the effectiveness of address-space randomization
Proceedings of the 11th ACM conference on Computer and communications security
The dynamic behavior of a data dissemination protocol for network programming at scale
SenSys '04 Proceedings of the 2nd international conference on Embedded networked sensor systems
Securing the deluge Network programming system
Proceedings of the 5th international conference on Information processing in sensor networks
Avrora: scalable sensor network simulation with precise timing
IPSN '05 Proceedings of the 4th international symposium on Information processing in sensor networks
Sluice: Secure Dissemination of Code Updates in Sensor Networks
ICDCS '06 Proceedings of the 26th IEEE International Conference on Distributed Computing Systems
Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
An Architectural Approach to Preventing Code Injection Attacks
DSN '07 Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Exploring Symmetric Cryptography for Secure Network Reprogramming
ICDCSW '07 Proceedings of the 27th International Conference on Distributed Computing Systems Workshops
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
Proceedings of the 14th ACM conference on Computer and communications security
Efficient memory safety for TinyOS
Proceedings of the 5th international conference on Embedded networked sensor systems
Distributed Authentication of Program Integrity Verification in Wireless Sensor Networks
ACM Transactions on Information and System Security (TISSEC)
Towards self-propagate mal-packets in sensor networks
WiSec '08 Proceedings of the first ACM conference on Wireless network security
Lest we remember: cold boot attacks on encryption keys
SS'08 Proceedings of the 17th conference on Security symposium
Authenticated in-network programming for wireless sensor networks
ADHOC-NOW'06 Proceedings of the 5th international conference on Ad-Hoc, Mobile, and Wireless Networks
Self-healing control flow protection in sensor applications
Proceedings of the second ACM conference on Wireless network security
Eliminating the call stack to save RAM
Proceedings of the 2009 ACM SIGPLAN/SIGBED conference on Languages, compilers, and tools for embedded systems
On the difficulty of software-based attestation of embedded devices
Proceedings of the 16th ACM conference on Computer and communications security
Defending embedded systems against control flow attacks
Proceedings of the first ACM workshop on Secure execution of untrusted code
Self-propagating worms in wireless sensor networks
Proceedings of the 5th international student workshop on Emerging networking experiments and technologies
Efficient code diversification for network reprogramming in sensor networks
Proceedings of the third ACM conference on Wireless network security
A hardware-based remote attestation protocol in wireless sensor networks
Proceedings of the 9th ACM/IEEE International Conference on Information Processing in Sensor Networks
Toward trusted wireless sensor networks
ACM Transactions on Sensor Networks (TOSN)
Intrusion-resilience in mobile unattended WSNs
INFOCOM'10 Proceedings of the 29th conference on Information communications
EVT/WOTE'09 Proceedings of the 2009 conference on Electronic voting technology/workshop on trustworthy elections
Half-blind attacks: mask ROM bootloaders are dangerous
WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies
Return-oriented programming without returns
Proceedings of the 17th ACM conference on Computer and communications security
Towards customizable, application specific mobile trusted modules
Proceedings of the fifth ACM workshop on Scalable trusted computing
Secure code update for embedded devices via proofs of secure erasure
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
G-Free: defeating return-oriented programming through gadget-less binaries
Proceedings of the 26th Annual Computer Security Applications Conference
Embedded firmware diversity for smart electric meters
HotSec'10 Proceedings of the 5th USENIX conference on Hot topics in security
A framework for automated architecture-independent gadget search
WOOT'10 Proceedings of the 4th USENIX conference on Offensive technologies
Efficient detection of the return-oriented programming malicious code
ICISS'10 Proceedings of the 6th international conference on Information systems security
Return-oriented rootkit without returns (on the x86)
ICICS'10 Proceedings of the 12th international conference on Information and communications security
Automatic construction of jump-oriented programming shellcode (on the x86)
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Jump-oriented programming: a new class of code-reuse attack
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
ROPdefender: a detection tool to defend against return-oriented programming attacks
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Revisiting address space randomization
ICISC'10 Proceedings of the 13th international conference on Information security and cryptology
A TPM-enabled remote attestation protocol (TRAP) in wireless sensor networks
Proceedings of the 6th ACM workshop on Performance monitoring and measurement of heterogeneous wireless and wired networks
deRop: removing return-oriented programming from malware
Proceedings of the 27th Annual Computer Security Applications Conference
Return-Oriented Programming: Systems, Languages, and Applications
ACM Transactions on Information and System Security (TISSEC) - Special Issue on Computer and Communications Security
Packed, printable, and polymorphic return-oriented programming
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Runtime countermeasures for code injection attacks against C and C++ programs
ACM Computing Surveys (CSUR)
Branch regulation: low-overhead protection from code reuse attacks
Proceedings of the 39th Annual International Symposium on Computer Architecture
Spy-Sense: spyware tool for executing stealthy exploits against sensor networks
Proceedings of the 2nd ACM workshop on Hot topics on wireless network security and privacy
High-performance hardware monitors to protect network processors from data plane attacks
Proceedings of the 50th Annual Design Automation Conference
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
Harvard architecture CPU design is common in the embedded world. Examples of Harvard-based architecture devices are the Mica family of wireless sensors. Mica motes have limited memory and can process only very small packets. Stack-based buffer overflow techniques that inject code into the stack and then execute it are therefore not applicable. It has been a common belief that code injection is impossible on Harvard architectures. This paper presents a remote code injection attack for Mica sensors. We show how to exploit program vulnerabilities to permanently inject any piece of code into the program memory of an Atmel AVR-based sensor. To our knowledge, this is the first result that presents a code injection technique for such devices. Previous work only succeeded in injecting data or performing transient attacks. Injecting permanent code is more powerful since the attacker can gain full control of the target sensor. We also show that this attack can be used to inject a worm that can propagate through the wireless sensor network and possibly create a sensor botnet. Our attack combines different techniques such as return oriented programming and fake stack injection. We present implementation details and suggest some counter-measures.