Return to search

Analysis of Firmware Security in Embedded ARM Environments

Modern enterprise-grade systems with virtually unlimited resources have many options when it comes to implementing state of the art intrusion prevention and detection solutions. These solutions are costly in terms of energy, execution time, circuit board area, and capital. Sustainable Internet of Things devices and power-constrained embedded systems are thus forced to make suboptimal security trade-offs. One such trade-off is the design of architectures which prevent execution of injected shell code, yet have allowed Return Oriented Programming (ROP) to emerge as a more reliable way to execute malicious code following attacks. ROP is a method used to take over the execution of a program by causing the return address of a function to be modified through an exploit vector, then returning to small segments of otherwise innocuous code located in executable memory one after the other to carry out the attacker's aims. We show that the Tiva TM4C123GH6PM microcontroller, which utilizes anARM Cortex-M4F processor, can be fully controlled with this technique. Firmware code is pre-loaded into a ROM on Tiva microcontrollers which can be subverted to erase and rewrite the flash memory where the program resides. That same firmware is searched for a Turing-complete gadget set which allows for arbitrary execution. We then design and evaluate a method for verifying the integrity of firmware on embedded systems, in this case Solid State Drives (SSDs). Some manufacturers make firmware updates available, but their proprietary protections leave end users unable to verify the authenticity of the firmware post installation. This means that attackers who are able to get a malicious firmware version installed on a victim SSD are able to operate with full impunity, as the owner will have no tools for detection. We have devised a method for performing side channel analysis of the current drawn by an SSD, which can compare its behavior while running genuine firmware against its behavior when running modified firmware. We train a binary classifier with samples of both versions and are able to consistently discriminate between genuine firmware and modified firmware, even despite changes in external factors such as temperature and supplied power. / Doctor of Philosophy / To most consumers and enterprises, a computer is the desktop or laptop device they use to run applications or write reports. Security for these computers has been a top priority since the advent of the Internet and the security landscape has matured considerably since that time. Yet, these consumer-facing computers are outnumbered several times over by embedded computers and microcontrollers which power ubiquitous systems in industrial control, home automation, and the Internet of Things. Unfortunately, the security landscape for these embedded systems is in relative infancy. Security controls designed for consumer and enterprise computers are often poorly suited for embedded system due to constraints such as power, memory, processing, and real-time performance demands. This research considers the unique constraints of embedded systems and analyzes their security in a practical way. We begin by exploring the mechanism and extent to which a device can be compromised. We show that a technique known as Return Oriented Programming (ROP) can be used to bypass some of the process control protections in place and that there can be enough existing code in the firmware to allow an attacker to execute code at will. This leads naturally to the question of how embedded computers can be secured. One important security assurance is the knowledge that a device is running legitimate firmware. This can be difficult for a device owner to verify due to proprietary protections put in place by manufacturers. However, we contribute a method to detect modifications to firmware on embedded systems, particularly Solid State Drives. This is done through an analysis of the current drawn during drive operations with best-practice data classification techniques. The findings of this research indicate that current embedded devices present a larger surface area for attack, less sophistication required for attack, and a larger quantity of devices vulnerable to attack. Even though these findings should raise concern, we also found that there are practical methods for detecting attack via monitoring and analysis.

Identiferoai:union.ndltd.org:VTETD/oai:vtechworks.lib.vt.edu:10919/102776
Date30 September 2019
CreatorsBrown, Dane Andrew
ContributorsElectrical and Computer Engineering, Clancy, Thomas Charles III, Schaumont, Patrick R., Black, Jonathan T., Yang, Yaling, Gerdes, Ryan M.
PublisherVirginia Tech
Source SetsVirginia Tech Theses and Dissertation
Detected LanguageEnglish
TypeDissertation
FormatETD, application/pdf
RightsIn Copyright, http://rightsstatements.org/vocab/InC/1.0/

Page generated in 0.0024 seconds