Off-the-shelf Embedded Devices as Platforms for Security Research

With increasing concerns about the security and trustworthiness of embedded devices, the importance of research on their firmware is growing. Unfortunately, researchers with new ideas for improving the security of these devices (e.g., fuzzing) or studying adversarial scenarios (e.g., malware) face massive hurdles when applying them to actual hardware. To conduct realistic experiments, we need real-world hardware that can be easily used for security research. Unfortunately, such devices are scarce and depend entirely on efforts by the hacker community. In this paper, we describe two new devices that we have opened up, a programmable logic controller (PLC) and a solid sate drive (SSD). These two types of devices have not been previously reverse engineered and they are both interesting cases given the recent developments on the security of embedded devices and the rise of Internet of Things. We discuss possible new directions with these two "real-world" research platforms. We further make the results of our efforts available to the security community in order to make it easier to get started in this research area.

[1]  Salvatore J. Stolfo,et al.  When Firmware Modifications Attack: A Case Study of Embedded Exploitation , 2013, NDSS.

[2]  Srdjan Capkun,et al.  SoK: Secure Data Deletion , 2013, 2013 IEEE Symposium on Security and Privacy.

[3]  Andrew W. Moore,et al.  NetFPGA SUME: Toward 100 Gbps as Research Commodity , 2014, IEEE Micro.

[4]  Arturo M Garcia,et al.  Firmware Modification Analysis in Programmable Logic Controllers , 2014 .

[5]  Mordechai Guri,et al.  DiskFiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive Noise , 2016, ArXiv.

[6]  Adrian Perrig,et al.  VIPER: verifying the integrity of PERipherals' firmware , 2011, CCS '11.

[7]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[8]  Mark Roeloffs,et al.  Forensic Data Recovery from Flash Memory , 2007 .

[9]  Helge Janicke,et al.  Runtime-Monitoring for Industrial Control Systems , 2015 .

[10]  Steven Swanson,et al.  Reliably Erasing Data from Flash-Based Solid State Drives , 2011, FAST.

[11]  Kevin R. B. Butler,et al.  ProvUSB: Block-level Provenance-Based Data Protection for USB Storage Devices , 2016, CCS.

[12]  Bart Jacobs,et al.  Dismantling MIFARE Classic , 2008, ESORICS.

[13]  Gene Tsudik,et al.  A minimalist approach to Remote Attestation , 2014, 2014 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[14]  Dayu Yang,et al.  Anomaly-Based Intrusion Detection for SCADA Systems , 2006 .

[15]  Luca Bruno,et al.  AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[16]  Yuanzhang Li,et al.  Descrambling data on solid-state disks by reverse-engineering the firmware , 2015 .

[17]  Ali Abbasi Ghost in the PLC: stealth on-the-fly manipulation of programmable logic controllers’ I/O , 2016 .

[18]  Hua Zhang,et al.  Peach Improvement on Profinet-DCP for Industrial Control System Vulnerability Detection , 2015 .

[19]  Benjamin Morin,et al.  What If You Can't Trust Your Network Card? , 2011, RAID.

[20]  Aurélien Francillon,et al.  Implementation and implications of a stealth hard-drive backdoor , 2013, ACSAC.

[21]  Christopher Krügel,et al.  Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware , 2015, NDSS.

[22]  Juan Lopez,et al.  Firmware modification attacks on programmable logic controllers , 2013, Int. J. Crit. Infrastructure Prot..

[23]  Srdjan Capkun,et al.  On Secure Data Deletion , 2014, IEEE Secur. Priv..

[24]  Ralf-Philipp Weinmann,et al.  Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks , 2012, WOOT.

[25]  Stavros A. Koubias,et al.  A Modbus/TCP Fuzzer for testing internetworked industrial systems , 2015, 2015 IEEE 20th Conference on Emerging Technologies & Factory Automation (ETFA).

[26]  Milos Manic,et al.  Neural Network based Intrusion Detection System for critical infrastructures , 2009, 2009 International Joint Conference on Neural Networks.

[27]  Wolfgang Kastner,et al.  Prospect: peripheral proxying supported embedded code testing , 2014, AsiaCCS.

[28]  Kevin Fu,et al.  Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[29]  Thelma Virginia Rodrigues,et al.  OpenPLC: An open source alternative to automation , 2014, IEEE Global Humanitarian Technology Conference (GHTC 2014).

[30]  Christof Paar,et al.  Don't Trust Satellite Phones: A Security Analysis of Two Satphone Standards , 2012, 2012 IEEE Symposium on Security and Privacy.