Home

Defending Embedded Systems with Software Symbiotes

Ang Cui; Salvatore Stolfo

Title:
Defending Embedded Systems with Software Symbiotes
Author(s):
Cui, Ang
Stolfo, Salvatore
Date:
Type:
Articles
Department:
Computer Science
Permanent URL:
Part Number:
6961
Book/Journal Title:
Recent Advances in Intrusion Detection: 14th International Symposium, Raid 2011, Menlo Park, Ca, USA, September 20-21, 2011: Proceedings
Book Author:
Sommer, Robin
Publisher:
Springer
Publisher Location:
New York
Abstract:
A large number of embedded devices on the internet, such as routers and VOIP phones, are typically ripe for exploitation. Little to no defensive technology, such as AV scanners or IDS's, are available to protect these devices. We propose a host-based defense mechanism, which we call Symbiotic Embedded Machines (SEM), that is specifically designed to inject intrusion detection functionality into the firmware of the device. A SEM or simply the Symbiote, may be injected into deployed legacy embedded systems with no disruption to the operation of the device. A Symbiote is a code structure embedded in situ into the firmware of an embedded system. The Symbiote can tightly co-exist with arbitrary host executables in a mutually defensive arrangement, sharing computational resources with its host while simultaneously protecting the host against exploitation and unauthorized modification. The Symbiote is stealthily embedded in a randomized fashion within an arbitrary body of firmware to protect itself from removal. We demonstrate the operation of a generic whitelist-based rootkit detector Symbiote injected in situ into Cisco IOS with negligible performance penalty and without impacting the routers functionality. We present the performance overhead of a Symbiote on physical Cisco router hardware. A MIPS implementation of the Symbiote was ported to ARM and injected into a Linux 2.4 kernel, allowing the Symbiote to operate within Android and other mobile computing devices. The use of Symbiotes represents a practical and effective protection mechanism for a wide range of devices, especially widely deployed, unprotected, legacy embedded devices.
Subject(s):
Computer science
Item views:
1001
Metadata:
text | xml

In Partnership with the Center for Digital Research and Scholarship at Columbia University Libraries/Information Services | Terms of Use