Towards Automated Detection of Higher-Order Memory Corruption Vulnerabilities in Embedded Devices
Lei Yua, Linyu Lib, Haoyu Wangc, Xiaoyu Wangd, Houhua Hee and Xiaorui Gongf
1School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
2Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China
ayulei@iie.ac.cn
blilinyu@iie.ac.cn
cwanghaoyu@iie.ac.cn
dwangxiaoyu@iie.ac.cn
ehehouhua@iie.ac.cn
fgongxiaorui@iie.ac.cn
ABSTRACT
The rapid growth and limited security protection of the networked embedded devices put the threat of remote code execution related memory corruption attacks front and center among security concerns. Current detection approaches can detect single-step and single-process memory corruption vulnerabilities well by fuzzing tests, and often assume that data stored in the current embedded device or even the embedded device connected to it is safe. However, an adversary might corrupt memory via multi-step exploits if she manages first to abuse the embedded application to store the attack payload and later use this payload in a security-critical operation on memory. These exploits usually lead to persistent code execution attacks and complete control of the device in practice but are rarely covered in state-of-the-art dynamic testing techniques. To address these stealthy yet harmful threats, we identify a large class of such multi-step memory corruption attacks and define them as higher-order memory corruption vulnerabilities (HOMCVs). We can abstract the detailed multi-step exploit models for these vulnerabilities and expose various attacker-controllable data stores (ACDS) that contribute to memory corruption. Aided by the abstract models, a dynamic data flow tracking (DDFA) based solution is developed to detect data stores that would be transferred to memory and then identify HOMCVs. Our proposed method is validated on an experimental embedded system injected with different variants of higher-order memory corruption vulnerabilities and two real-world embedded devices. We demonstrate that successful detection can be accomplished with an automatic system named Higher-Order Fuzzing Framework (HOFF) which realizes the DDFA-based solution.
Keywords: Vulnerability, Memory Corruption, Embedded Device.
