Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
166 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

One for All and All for One: GNN-based Control-Flow Attestation for Embedded Devices (2403.07465v1)

Published 12 Mar 2024 in cs.CR and cs.LG

Abstract: Control-Flow Attestation (CFA) is a security service that allows an entity (verifier) to verify the integrity of code execution on a remote computer system (prover). Existing CFA schemes suffer from impractical assumptions, such as requiring access to the prover's internal state (e.g., memory or code), the complete Control-Flow Graph (CFG) of the prover's software, large sets of measurements, or tailor-made hardware. Moreover, current CFA schemes are inadequate for attesting embedded systems due to their high computational overhead and resource usage. In this paper, we overcome the limitations of existing CFA schemes for embedded devices by introducing RAGE, a novel, lightweight CFA approach with minimal requirements. RAGE can detect Code Reuse Attacks (CRA), including control- and non-control-data attacks. It efficiently extracts features from one execution trace and leverages Unsupervised Graph Neural Networks (GNNs) to identify deviations from benign executions. The core intuition behind RAGE is to exploit the correspondence between execution trace, execution graph, and execution embeddings to eliminate the unrealistic requirement of having access to a complete CFG. We evaluate RAGE on embedded benchmarks and demonstrate that (i) it detects 40 real-world attacks on embedded software; (ii) Further, we stress our scheme with synthetic return-oriented programming (ROP) and data-oriented programming (DOP) attacks on the real-world embedded software benchmark Embench, achieving 98.03% (ROP) and 91.01% (DOP) F1-Score while maintaining a low False Positive Rate of 3.19%; (iii) Additionally, we evaluate RAGE on OpenSSL, used by millions of devices and achieve 97.49% and 84.42% F1-Score for ROP and DOP attack detection, with an FPR of 5.47%.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (55)
  1. A. Seshadri, A. Perrig, L. Van Doorn, and P. Khosla, “Swatt: Software-based attestation for embedded devices,” in IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.   IEEE, 2004, pp. 272–282.
  2. A. Seshadri, M. Luk, A. Perrig, L. Van Doorn, and P. Khosla, “Scuba: Secure code update by attestation in sensor networks,” in Proceedings of the 5th ACM workshop on Wireless security, 2006, pp. 85–94.
  3. B. Chen, X. Dong, G. Bai, S. Jauhar, and Y. Cheng, “Secure and efficient software-based attestation for industrial control devices with arm processors,” in Proceedings of the 33rd Annual Computer Security Applications Conference, 2017, pp. 425–436.
  4. A. Seshadri, M. Luk, E. Shi, A. Perrig, L. Van Doorn, and P. Khosla, “Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems,” in Proceedings of the twentieth ACM symposium on Operating systems principles, 2005, pp. 1–16.
  5. Y. Li, J. M. McCune, and A. Perrig, “Viper: Verifying the integrity of peripherals’ firmware,” in Proceedings of the 18th ACM conference on Computer and communications security, 2011, pp. 3–16.
  6. A. Seshadri, M. Luk, and A. Perrig, “Sake: Software attestation for key establishment in sensor networks,” in International Conference on Distributed Computing in Sensor Systems.   Springer, 2008, pp. 372–385.
  7. C. Krauß, F. Stumpf, and C. Eckert, “Detecting node compromise in hybrid wireless sensor networks using attestation techniques,” in European Workshop on Security in Ad-hoc and Sensor Networks.   Springer, 2007, pp. 203–217.
  8. S. Agrawal, M. L. Das, A. Mathuria, and S. Srivastava, “Program integrity verification for detecting node capture attack in wireless sensor network,” in International Conference on Information Systems Security.   Springer, 2015, pp. 419–440.
  9. T. Post, “Belkin iot smart plug flaw allows remote code execution in smart homes,” https://threatpost.com/belkin-iot-smart-plug-flaw-allows-remote-code-execution-in-smart-homes/136732/, 2018.
  10. Arstechnica, “Exploit that gives remote access affects  200 million cable modems,” https://arstechnica.com/information-technology/2020/01/exploit-that-gives-remote-access-affects-200-million-cable-modems/, 2020.
  11. Zd Net, “Nasty linux netfilter firewall security hole found,” https://www.zdnet.com/article/nasty-linux-netfilter-firewall-security-hole-found/, 2022.
  12. Bleepingcomputer, “Cisa warns of samsung aslr bypass flaw exploited in attacks,” https://www.bleepingcomputer.com/news/security/cisa-warns-of-samsung-aslr-bypass-flaw-exploited-in-attacks/, 2023.
  13. N. Asokan, L. Davi, J.-E. Ekberg, T. Nyman, A. Paverd, A.-R. Sadeghi, and G. Tsudik, “C-flat: control-flow attestation for embedded systems software,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 743–754.
  14. S. Zeitouni, G. Dessouky, O. Arias, D. Sullivan, A. Ibrahim, Y. Jin, and A.-R. Sadeghi, “Atrium: Runtime attestation resilient under memory attacks,” in 2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).   IEEE, 2017, pp. 384–391.
  15. G. Dessouky, S. Zeitouni, T. Nyman, A. Paverd, L. Davi, P. Koeberl, N. Asokan, and A.-R. Sadeghi, “Lo-fat: Low-overhead control flow attestation in hardware,” in Proceedings of the 54th Annual Design Automation Conference 2017, 2017, pp. 1–6.
  16. G. Dessouky, T. Abera, A. Ibrahim, and A.-R. Sadeghi, “Litehax: lightweight hardware-assisted attestation of program execution,” in 2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).   IEEE, 2018, pp. 1–8.
  17. Z. Sun, B. Feng, L. Lu, and S. Jha, “Oat: Attesting operation integrity of embedded devices,” in 2020 IEEE Symposium on Security and Privacy (SP).   IEEE, 2020, pp. 1433–1449.
  18. Y. Zhang, X. Liu, C. Sun, D. Zeng, G. Tan, X. Kan, and S. Ma, “Recfa: Resilient control-flow attestation,” in Annual Computer Security Applications Conference, 2021, pp. 311–322.
  19. N. Yadav and V. Ganapthy, “Whole-program control-flow path attestation,” in 30th ACM conference on Computer and Communications Security, 2023, early available at: https://www.csa.iisc.ac.in/~vg/papers/ccs2023/.
  20. I. D. O. Nunes, S. Jakkamsetti, and G. Tsudik, “Tiny-cfa: Minimalistic control-flow attestation using verified proofs of execution,” in 2021 Design, Automation & Test in Europe Conference & Exhibition (DATE).   IEEE, 2021, pp. 641–646.
  21. G. K. Conrado, A. Goharshady, and C. K. Lam, “The bounded pathwidth of control-flow graphs,” in ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA 2023, 2023.
  22. T. Frassetto, P. Jauernig, D. Koisser, and A.-R. Sadeghi, “Cfinsight: A comprehensive metric for cfi policies,” in 29th Annual Network and Distributed System Security Symposium.   NDSS, 2022.
  23. H. Theiling, “Control flow graphs for real-time systems analysis: reconstruction from binary executables and usage in ilp-based path analysis,” PhD thesis, Saarland University, 2002.
  24. D. Van Horn and H. G. Mairson, “Relating complexity and precision in control flow analysis,” ACM SIGPLAN Notices, vol. 42, no. 9, pp. 85–96, 2007.
  25. L. Xu, F. Sun, and Z. Su, “Constructing precise control flow graphs from binaries,” University of California, Davis, Tech. Rep, pp. 14–23, 2009.
  26. K. Zhu, Y. Lu, H. Huang, L. Yu, and J. Zhao, “Constructing more complete control flow graphs utilizing directed gray-box fuzzing,” Applied Sciences, vol. 11, no. 3, p. 1351, 2021.
  27. J. Hu, D. Huo, M. Wang, Y. Wang, Y. Zhang, and Y. Li, “A probability prediction based mutable control-flow attestation scheme on embedded platforms,” in 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).   IEEE, 2019, pp. 530–537.
  28. Z. Ma, H. Ge, Y. Liu, M. Zhao, and J. Ma, “A combination method for android malware detection based on control flow graphs and machine learning algorithms,” IEEE access, vol. 7, pp. 21 235–21 245, 2019.
  29. M. N. Aman, H. Basheer, J. W. Wong, J. Xu, H. W. Lim, and B. Sikdar, “Machine learning based attestation for the internet of things using memory traces,” IEEE Internet of Things Journal, 2022.
  30. J. Wilander, N. Nikiforakis, Y. Younan, M. Kamkar, and W. Joosen, “RIPE: Runtime intrusion prevention evaluator,” in In Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC.   ACM, 2011.
  31. J. Bennett, P. Dabbelt, C. Garlati, G. Madhusudan, T. Mudge, and D. Patterson, “Embench: An evolving benchmark suite for embedded iot computers from an academic-industrial cooperative,” 2022.
  32. A. M. Turing et al., “On computable numbers, with an application to the entscheidungsproblem,” J. of Math, vol. 58, no. 345-363, p. 5, 1936.
  33. D. Granata, R. Cerulli, M. G. Scutella, A. Raiconi et al., “Maximum flow problems and an np-complete variant on edge-labeled graphs,” Handbook of combinatorial optimization, pp. 1913–1948, 2013.
  34. A. Rimsa, J. Nelson Amaral, and F. M. Pereira, “Practical dynamic reconstruction of control flow graphs,” Software: Practice and Experience, vol. 51, no. 2, pp. 353–384, 2021.
  35. H. Shacham, “The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86),” in Proceedings of the 14th ACM conference on Computer and communications security, 2007, pp. 552–561.
  36. T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang, “Jump-oriented programming: a new class of code-reuse attack,” in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011, pp. 30–40.
  37. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy, “Return-oriented programming without returns,” in Proceedings of the 17th ACM conference on Computer and communications security, 2010, pp. 559–572.
  38. K. K. Ispoglou, B. AlBassam, T. Jaeger, and M. Payer, “Block oriented programming: Automating data-only attacks,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018, pp. 1868–1882.
  39. H. Hu, S. Shinde, S. Adrian, Z. L. Chua, P. Saxena, and Z. Liang, “Data-oriented programming: On the expressiveness of non-control data attacks,” in 2016 IEEE Symposium on Security and Privacy (SP).   IEEE, 2016, pp. 969–986.
  40. A. Sperduti and A. Starita, “Supervised neural networks for the classification of structures,” IEEE Transactions on Neural Networks, vol. 8, no. 3, pp. 714–735, 1997.
  41. M. Welling and T. N. Kipf, “Semi-supervised classification with graph convolutional networks,” in J. International Conference on Learning Representations (ICLR 2017), 2016.
  42. T. N. Kipf and M. Welling, “Variational graph auto-encoders,” arXiv preprint arXiv:1611.07308, 2016.
  43. D. P. Kingma and M. Welling, “Auto-encoding variational bayes,” arXiv preprint arXiv:1312.6114, 2013.
  44. M. Xu, “Understanding graph embedding methods and their applications,” SIAM Review, vol. 63, no. 4, pp. 825–853, 2021.
  45. D. Molnar, M. Piotrowski, D. Schultz, and D. Wagner, “The program counter security model: Automatic detection and removal of control-flow side channel attacks,” in Information Security and Cryptology-ICISC 2005: 8th International Conference, Seoul, Korea, December 1-2, 2005, Revised Selected Papers 8.   Springer, 2006, pp. 156–168.
  46. D. Bruening and S. Amarasinghe, “Efficient, transparent, and comprehensive runtime code manipulation,” Ph.D. dissertation, Massachusetts Institute of Technology, Department of Electrical Engineering, 2004.
  47. K. Eldefrawy, G. Tsudik, A. Francillon, and D. Perito, “Smart: secure and minimal architecture for (establishing dynamic) root of trust.” in Ndss, vol. 12, 2012, pp. 1–15.
  48. P. Koeberl, S. Schulz, A.-R. Sadeghi, and V. Varadharajan, “Trustlite: A security architecture for tiny embedded devices,” in Proceedings of the Ninth European Conference on Computer Systems, 2014, pp. 1–14.
  49. F. Brasser, B. El Mahjoub, A.-R. Sadeghi, C. Wachsmann, and P. Koeberl, “Tytan: Tiny trust anchor for tiny devices,” in Proceedings of the 52nd annual design automation conference, 2015, pp. 1–6.
  50. X. Carpent, N. Rattanavipanon, and G. Tsudik, “Remote attestation of iot devices via smarm: Shuffled measurements against roving malware,” in 2018 IEEE international symposium on hardware oriented security and trust (HOST).   IEEE, 2018, pp. 9–16.
  51. M. N. Aman and B. Sikdar, “Att-auth: A hybrid protocol for industrial iot attestation with authentication,” IEEE Internet of Things Journal, vol. 5, no. 6, pp. 5119–5131, 2018.
  52. M. N. Aman, M. H. Basheer, S. Dash, A. Sancheti, J. W. Wong, J. Xu, H. W. Lim, and B. Sikdar, “Prom: Passive remote attestation against roving malware in multicore iot devices,” IEEE Systems Journal, vol. 16, no. 1, pp. 789–800, 2021.
  53. X. Wang and R. Karri, “Numchecker: Detecting kernel control-flow modifying rootkits by using hardware performance counters,” in Proceedings of the 50th Annual Design Automation Conference, 2013, pp. 1–7.
  54. Y. Xia, Y. Liu, H. Chen, and B. Zang, “Cfimon: Detecting violation of control flow integrity using performance counters,” in IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).   IEEE, 2012, pp. 1–12.
  55. S. P. Kadiyala, M. Alam, Y. Shrivastava, S. Patranabis, M. F. B. Abbas, A. K. Biswas, D. Mukhopadhyay, and T. Srikanthan, “Lambda: Lightweight assessment of malware for embedded architectures,” ACM Transactions on Embedded Computing Systems (TECS), vol. 19, no. 4, pp. 1–31, 2020.
Citations (4)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now