Secure Execution: IoT DevicesWorkshop on IoT Security

11th Sept 2018

Sandeep KumarDr. Smruti R. SarangiIndian Institute of Technology, New Delhi

Introduction

IOT Devices

• IOT devices are everywhere

• Handles sensitive Data

• Limited power and compute capabilities !!

Aim• Ensure control flow integrity of the program

• Prove software methods alone are not enough

• Need hardware support• General design of Hardware assisted security

Attack Vector

• Attacks based on source code (obtained using declassification)

• Code obfuscation techniques prevent such attacks.

• Attacks based on trace of a binary

• Code obfuscation cannot prevent such attacks.

• Critical region can be figured out

• Control flow violation

Trace Example:

402f67: 84 c0 test %al,%al402f69: 0f 84 e3 fe ff ff je 402e52 <_ZN4iitd2ac2in14ClientSoftware9check_licEJvPN4java4lang6Str402f6f: e9 b5 fe ff ff jmpq 402e29 <_ZN4iitd2ac2in14ClientSoftware9check_licEJvPN4java4lang6Str402f74: 48 83 fa 02 cmp $0x2,%rdx402f78: 74 08 je 402f82 <_ZN4iitd2ac2in14ClientSoftware9check_licEJvPN4java4lang6Str402f7a: 48 89 c7 mov %rax,%rdi402f7d: e8 ee f7 ff ff callq 402770 <_Unwind_Resume@plt>402f82: 48 8b 40 f8 mov -0x8(%rax),%rax402f86: 48 8b 05 73 5f bc 00 mov 0xbc5f73(%rip),%rax re_10_ref.2097>402f8d: 48 85 c0 test %rax,%rax402f90: 0f 94 c0 sete %al402f93: 84 c0 test %al,%al402f95: 0f 84 5b ff ff ff je 402ef6 <_ZN4iitd2ac2in14ClientSoftware9check_licEJvPN4java4lang6Str402f9b: e9 2d ff ff ff jmpq 402ecd <_ZN4iitd2ac2in14ClientSoftware9check_licEJvPN4java4lang6Str402fa0: 48 83 ec 80 sub $0xffffffffffffff80,%rsp402fa4: 5b pop %rbx402fa5: 41 5c pop %r12402fa7: 5d pop %rbp402fa8: c3 retq

SecurityLicense Checking

Sample: License Check

● License Managers○ Based on cryptographic guarantees.

● These can be local or server based● License check is done at the start of the

execution○ If passed, run in full mode○ If this fails

■ Close the app, or■ Run with limited features.

7

Init

Check License

Valid License?

Continue

Yes

Crash

No

Is this Enough?

• Toy example, attacks on:

• License3j [3]

• License-Manager [4]

Instruction Based Attack: CFDA (Control Flow Data Analysis)

• The basic idea is to run the code once with a valid license file, and then with an invalid one.

• See the difference in the trace (instructions executed)

• Most likely it will be a call or jump instruction.

• Force it to take the correct path.

9

Init

Invalid License Valid Licese

Crash Continue

Check?

Assumption:Either we have access to the source code or we have the valid license file.

Instruction Based Attack: CGA (Call Graph Alteration)

The basic idea is to get a trace of the binary execution with an invalid license.

1. See all the branch instructions like call and jump statements.

2. Skip functions or groups of instructions that encapsulate the license check function.

3. Eventually we will correctly elide the license check function.

10

Init

Invalid License

Crash Normal Run

Check

Assumptions:1. No access to the source code and a valid

license file.

PreventionCode Obfuscation

Code Obfuscation

12Normal Code

Obfuscated Code

Is Code Obfuscation Enough?

• Trace based attack still works• Trace same, as the output is same.

• Purpose of code obfuscation is to make reverse engineering difficult

• We need access to the source code to run code obfuscator.

Impact of Binary Size

• Attacks relies on trace of the binary execution.

• For binaries with size larger than ~20 MB, total number of possible unexplored path increases exponentially.

Call Graphs

1. Trace of the execution binary can be represented as a graph.1. Nnodes are the functions and edges are function calls from one function to

another.2. This forms a very specific pattern in the call graph.

15Green node is the call to the License Check function, which in turns

calls the library function represented by the red nodeBlue node represents the function which does the work after the

license check has been completed.

Structural Difference between Graphs [2]

Calculating the Difference Map:

• If the one-to-one correspondence between the nodes of the graphs needs to be computed, the problem is known to be NP-complete.

• if Node 1 and Node 2 have a labeling, such that a node in Graph 1 is the same as a node in Graph 2, if and only if, their labels are equal, then computing a difference map can be done efficiently.

17

Graph based Analysis [1]

Representation of Function NodesFunctional Call Graph with External Nodes

Key Observations:

1. Each node in the graph can be uniquely identified using its properties.2. External functions are not in the binary but is called using dynamically linked libraries.

Control Flow Graph Analysis

Possible Jump targets:

1. 0x934140 to 0x402fa92. 0x9e4030 to 0x402fa93. 0x9e7f30 to 0x402fa94. 0x9f49d0 to 0x402fa95. 0x402690 to 0x402fa96. 0x9ef1b8 to 0x402fa97. 0x9ef1fa to 0x402fa98. 0x9e84a0 to 0x402fa9

Difference Map b/w Correct and Incorrect Execution

This breaks the security of our toy example.

Graph Analysis without the Correct License

• Pattern detection from Call Graph.

• Calls made to the license check function will not be frequent.• Mostly in the beginning.

• Given a labeled graph, find the sub graph which not frequented much.

• Algorithms like:• SigGram

• Clustering algorithms can be used to detect these subgraphs.

Control Flow Graph Analysis

Extra calls made when the code was executed

using the correct license file, and when using the

JUMP from0x9e84a0 to 0x402fa9

Better… Prevention

Protection against Instruction Jump

Protection against Instruction Jump attacksProfiling:• Profile the binary to create a valid set of jump or call locations.• Represent this information in a compressed format

Dynamic Monitoring• During the execution, verify the correctness

• At every call and jump instruction• After a fixed interval

• Performance hits

Context of IOT devices• Due to limited computer capability, implementation of these

algorithms are limited.• Need Hardware support.

Future Directions

• External Functions analysis.

• Production binaries.

• Function graphs can be used as a security measure also, as a malware execution will be captured in the graph and that can be used to detect the malware.

• A hardware level prevention scheme.

25

Thank You.References:[1] Rajeswaran, Deebiga, "Function Call Graph Score for Malware Detection" (2015). Master's Projects. 445.https://scholarworks.sjsu.edu/etd_projects/445

[2] Daniel Archambault. 2009. Structural differences between two graphs through hierarchies. In Proceedings of Graphics Interface 2009 (GI '09). Canadian Information Processing Society, Toronto, Ont., Canada, Canada, 87-94.

[3] https://github.com/verhas/License3j