Secure Execution: IoT DevicesWorkshop on IoT Security
11th Sept 2018
Sandeep KumarDr. Smruti R. SarangiIndian Institute of Technology, New Delhi
Introduction
IOT Devices
• IOT devices are everywhere
• Handles sensitive Data
• Limited power and compute capabilities !!
Aim• Ensure control flow integrity of the program
• Prove software methods alone are not enough
• Need hardware support• General design of Hardware assisted security
Attack Vector
• Attacks based on source code (obtained using declassification)
• Code obfuscation techniques prevent such attacks.
• Attacks based on trace of a binary
• Code obfuscation cannot prevent such attacks.
• Critical region can be figured out
• Control flow violation
Trace Example:
402f67: 84 c0 test %al,%al402f69: 0f 84 e3 fe ff ff je 402e52 <_ZN4iitd2ac2in14ClientSoftware9check_licEJvPN4java4lang6Str402f6f: e9 b5 fe ff ff jmpq 402e29 <_ZN4iitd2ac2in14ClientSoftware9check_licEJvPN4java4lang6Str402f74: 48 83 fa 02 cmp $0x2,%rdx402f78: 74 08 je 402f82 <_ZN4iitd2ac2in14ClientSoftware9check_licEJvPN4java4lang6Str402f7a: 48 89 c7 mov %rax,%rdi402f7d: e8 ee f7 ff ff callq 402770 <_Unwind_Resume@plt>402f82: 48 8b 40 f8 mov -0x8(%rax),%rax402f86: 48 8b 05 73 5f bc 00 mov 0xbc5f73(%rip),%rax re_10_ref.2097>402f8d: 48 85 c0 test %rax,%rax402f90: 0f 94 c0 sete %al402f93: 84 c0 test %al,%al402f95: 0f 84 5b ff ff ff je 402ef6 <_ZN4iitd2ac2in14ClientSoftware9check_licEJvPN4java4lang6Str402f9b: e9 2d ff ff ff jmpq 402ecd <_ZN4iitd2ac2in14ClientSoftware9check_licEJvPN4java4lang6Str402fa0: 48 83 ec 80 sub $0xffffffffffffff80,%rsp402fa4: 5b pop %rbx402fa5: 41 5c pop %r12402fa7: 5d pop %rbp402fa8: c3 retq
SecurityLicense Checking
Sample: License Check
● License Managers○ Based on cryptographic guarantees.
● These can be local or server based● License check is done at the start of the
execution○ If passed, run in full mode○ If this fails
■ Close the app, or■ Run with limited features.
7
Init
Check License
Valid License?
Continue
Yes
Crash
No
Is this Enough?
• Toy example, attacks on:
• License3j [3]
• License-Manager [4]
Instruction Based Attack: CFDA (Control Flow Data Analysis)
• The basic idea is to run the code once with a valid license file, and then with an invalid one.
• See the difference in the trace (instructions executed)
• Most likely it will be a call or jump instruction.
• Force it to take the correct path.
9
Init
Invalid License Valid Licese
Crash Continue
Check?
Assumption:Either we have access to the source code or we have the valid license file.
Instruction Based Attack: CGA (Call Graph Alteration)
The basic idea is to get a trace of the binary execution with an invalid license.
1. See all the branch instructions like call and jump statements.
2. Skip functions or groups of instructions that encapsulate the license check function.
3. Eventually we will correctly elide the license check function.
10
Init
Invalid License
Crash Normal Run
Check
Assumptions:1. No access to the source code and a valid
license file.
PreventionCode Obfuscation
Code Obfuscation
12Normal Code
Obfuscated Code
Is Code Obfuscation Enough?
• Trace based attack still works• Trace same, as the output is same.
• Purpose of code obfuscation is to make reverse engineering difficult
• We need access to the source code to run code obfuscator.
Impact of Binary Size
• Attacks relies on trace of the binary execution.
• For binaries with size larger than ~20 MB, total number of possible unexplored path increases exponentially.
Call Graphs
1. Trace of the execution binary can be represented as a graph.1. Nnodes are the functions and edges are function calls from one function to
another.2. This forms a very specific pattern in the call graph.
15Green node is the call to the License Check function, which in turns
calls the library function represented by the red nodeBlue node represents the function which does the work after the
license check has been completed.
Structural Difference between Graphs [2]
Calculating the Difference Map:
• If the one-to-one correspondence between the nodes of the graphs needs to be computed, the problem is known to be NP-complete.
• if Node 1 and Node 2 have a labeling, such that a node in Graph 1 is the same as a node in Graph 2, if and only if, their labels are equal, then computing a difference map can be done efficiently.
17
Graph based Analysis [1]
Representation of Function NodesFunctional Call Graph with External Nodes
Key Observations:
1. Each node in the graph can be uniquely identified using its properties.2. External functions are not in the binary but is called using dynamically linked libraries.
Control Flow Graph Analysis
Possible Jump targets:
1. 0x934140 to 0x402fa92. 0x9e4030 to 0x402fa93. 0x9e7f30 to 0x402fa94. 0x9f49d0 to 0x402fa95. 0x402690 to 0x402fa96. 0x9ef1b8 to 0x402fa97. 0x9ef1fa to 0x402fa98. 0x9e84a0 to 0x402fa9
Difference Map b/w Correct and Incorrect Execution
This breaks the security of our toy example.
Graph Analysis without the Correct License
• Pattern detection from Call Graph.
• Calls made to the license check function will not be frequent.• Mostly in the beginning.
• Given a labeled graph, find the sub graph which not frequented much.
• Algorithms like:• SigGram
• Clustering algorithms can be used to detect these subgraphs.
Control Flow Graph Analysis
Extra calls made when the code was executed
using the correct license file, and when using the
JUMP from0x9e84a0 to 0x402fa9
Better… Prevention
Protection against Instruction Jump
Protection against Instruction Jump attacksProfiling:• Profile the binary to create a valid set of jump or call locations.• Represent this information in a compressed format
Dynamic Monitoring• During the execution, verify the correctness
• At every call and jump instruction• After a fixed interval
• Performance hits
Context of IOT devices• Due to limited computer capability, implementation of these
algorithms are limited.• Need Hardware support.
Future Directions
• External Functions analysis.
• Production binaries.
• Function graphs can be used as a security measure also, as a malware execution will be captured in the graph and that can be used to detect the malware.
• A hardware level prevention scheme.
25
Thank You.References:[1] Rajeswaran, Deebiga, "Function Call Graph Score for Malware Detection" (2015). Master's Projects. 445.https://scholarworks.sjsu.edu/etd_projects/445
[2] Daniel Archambault. 2009. Structural differences between two graphs through hierarchies. In Proceedings of Graphics Interface 2009 (GI '09). Canadian Information Processing Society, Toronto, Ont., Canada, Canada, 87-94.
[3] https://github.com/verhas/License3j