What If You Can't Trust Your Network Card?

In the last few years, many different attacks against computing platform targeting hardware or low level firmware have been published. Such attacks are generally quite hard to detect and to defend against as they target components that are out of the scope of the operating system and may not have been taken into account in the security policy enforced on the platform. In this paper, we study the case of remote attacks against network adapters. In our case study, we assume that the target adapter is running a flawed firmware that an attacker may subvert remotely by sending packets on the network to the adapter. We study possible detection techniques and their efficiency. We show that, depending on the architecture of the adapter and the interface provided by the NIC to the host operating system, building an efficient detection framework is possible. We explain the choices we made when designing such a framework that we called NAVIS and give details on our proof of concept implementation.

[1]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[2]  W. Wong,et al.  Transparent Runtime Shadow Stack : Protection against malicious return address modifications , 2006 .

[3]  Jiang Wang,et al.  Autonomic Recovery: HyperCheck: A Hardware-Assisted Integrity Monitor , 2013 .

[4]  Makoto Shimamura,et al.  Yataglass: Network-Level Code Emulation for Analyzing Memory-Scanning Attacks , 2009, DIMVA.

[5]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[6]  Michael Shuey,et al.  StackGhost: Hardware Facilitated Stack Protection , 2001, USENIX Security Symposium.

[7]  Yves Deswarte,et al.  Exploiting an I/OMMU vulnerability , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[8]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[9]  K. Chen Reversing and exploiting an Apple firmware update , 2009 .

[10]  Claudio Soriente,et al.  On the difficulty of software-based attestation of embedded devices , 2009, CCS.

[11]  Scott A. Rotondo Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[12]  Aurélien Francillon,et al.  Attacking and Protecting Constrained Embedded Systems from Control Flow Attacks , 2009 .

[13]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[14]  Mikhail J. Atallah,et al.  Protecting Software Code by Guards , 2001, Digital Rights Management Workshop.

[15]  Adrian Perrig,et al.  SBAP: Software-Based Attestation for Peripherals , 2010, TRUST.

[16]  Adrian Perrig,et al.  VIPER: verifying the integrity of PERipherals' firmware , 2011, CCS '11.

[17]  R. A. Maxion,et al.  Proper Use of ROC Curves in Intrusion/Anomaly Detection , 2004 .

[18]  Claude Castelluccia,et al.  Defending embedded systems against control flow attacks , 2009, SecuCode '09.

[19]  Adrian Perrig,et al.  Refutation of "On the Difficulty of Software-Based Attestation o f Embedded Devices" , 2010 .

[20]  Roger Dube The Trusted Platform Module , 2008 .

[21]  Evangelos P. Markatos,et al.  Emulation-Based Detection of Non-self-contained Polymorphic Shellcode , 2007, RAID.

[22]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.