Defending Embedded Systems with Software Symbiotes

Defending Embedded Systems with Software Symbiotes Cui Ang author Columbia University. Computer Science Stolfo Salvatore author Columbia University. Computer Science Columbia University. Computer Science originator text Articles 2011 manuscript version English A large number of embedded devices on the internet, such as routers and VOIP phones, are typically ripe for exploitation. Little to no defensive technology, such as AV scanners or IDS's, are available to protect these devices. We propose a host-based defense mechanism, which we call Symbiotic Embedded Machines (SEM), that is specifically designed to inject intrusion detection functionality into the firmware of the device. A SEM or simply the Symbiote, may be injected into deployed legacy embedded systems with no disruption to the operation of the device. A Symbiote is a code structure embedded in situ into the firmware of an embedded system. The Symbiote can tightly co-exist with arbitrary host executables in a mutually defensive arrangement, sharing computational resources with its host while simultaneously protecting the host against exploitation and unauthorized modification. The Symbiote is stealthily embedded in a randomized fashion within an arbitrary body of firmware to protect itself from removal. We demonstrate the operation of a generic whitelist-based rootkit detector Symbiote injected in situ into Cisco IOS with negligible performance penalty and without impacting the routers functionality. We present the performance overhead of a Symbiote on physical Cisco router hardware. A MIPS implementation of the Symbiote was ported to ARM and injected into a Linux 2.4 kernel, allowing the Symbiote to operate within Android and other mobile computing devices. The use of Symbiotes represents a practical and effective protection mechanism for a wide range of devices, especially widely deployed, unprotected, legacy embedded devices. Computer science Recent Advances in Intrusion Detection: 14th International Symposium, Raid 2011, Menlo Park, Ca, USA, September 20-21, 2011: Proceedings Sommer Robin editor Balzarotti Davide editor Maier Gregor editor New York Springer 2011 Lecture Notes in Computer Science 6961 http://hdl.handle.net/10022/AC:P:12013 NNC NNC 2011-12-16 14:03:04 -0500 2011-12-16 14:07:08 -0500 6004 eng