Interrupt-oriented bugdoor programming: a minimalist approach to bugdooring embedded systems firmware

We demonstrate a simple set of interrupt-related vulnerability primitives that, despite being apparently innocuous, give attackers full control of a microcontroller platform. We then present a novel, minimalist approach to constructing deniable bugdoors for microcontroller firmware, and contrast this approach with the current focus of exploitation research on demonstrations of maximum computational power that malicious computation can achieve. Since the introduction of Return-oriented programming, an ever-increasing number of targets have been demonstrated to unintentionally yield Turing-complete computation environments to attackers controlling the target's various input channels, under ever more restrictive sets of limitations. Yet although modern OS defensive measures indeed require complex computations to bypass, this focus on maximum expressiveness of exploit programming models leads researchers to overlook other research directions for platforms that lack strong defensive measure but occur in mission-critical systems, namely, microcontrollers. In these systems, common exploiter goals such as sensitive code and data exfiltration or arbitrary code execution do not typically require complex computation; instead, a minimal computation is preferred and a simple set of vulnerability primitives typically suffices. We discuss examples of vulnerabilities and the new kinds of tools needed to avoid them in future firmware.

[1]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[2]  Joshua Mason,et al.  English shellcode , 2009, CCS.

[3]  Sergey Bratus,et al.  Exploit Programming: From Buffer Overflows to "Weird Machines" and Theory of Computation , 2011, login Usenix Mag..

[4]  Sergey Bratus,et al.  "Weird Machines" in ELF: A Spotlight on the Underappreciated Metadata , 2013, WOOT.

[5]  Srinivasa R. Sridhara,et al.  Ultra-low power microcontrollers for portable, wearable, and implantable medical electronics , 2011, 16th Asia and South Pacific Design Automation Conference (ASP-DAC 2011).

[6]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[7]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[8]  Sean Heelan,et al.  SMT Solvers in Software Security , 2012, WOOT.

[9]  Sergey Bratus,et al.  Composition Patterns of Hacking , 2012 .

[10]  Jean-Pierre Seifert,et al.  Breaking and entering through the silicon , 2013, CCS.

[11]  Aurélien Francillon,et al.  Half-blind attacks: mask ROM bootloaders are dangerous , 2009 .

[12]  Sergey Bratus,et al.  The Page-Fault Weird Machine: Lessons in Instruction-less Computation , 2013, WOOT.

[13]  Herbert Bos,et al.  Framing Signals - A Return to Portable Shellcode , 2014, 2014 IEEE Symposium on Security and Privacy.

[14]  Sergey Bratus,et al.  Exploiting the Hard-Working DWARF: Trojan and Exploit Techniques with No Native Executable Code , 2011, WOOT.