Systematically Detecting Packet Validation Vulnerabilities in Embedded Network Stacks

Embedded Network Stacks (ENS) enable low-resource devices to communicate with the outside world, facilitating the development of the Internet of Things and Cyber-Physical Systems. Some defects in ENS are thus high-severity cybersecurity vulnerabilities: they are remotely triggerable and can impact the physical world. While prior research has shed light on the characteristics of defects in many classes of software systems, no study has described the properties of ENS defects nor identified a systematic technique to expose them. The most common automated approach to detecting ENS defects is feedback-driven randomized dynamic analysis ("fuzzing"), a costly and unpredictable technique. This paper provides the first systematic characterization of cybersecurity vulnerabilities in ENS. We analyzed 61 vulnerabilities across 6 open-source ENS. Most of these ENS defects are concentrated in the transport and network layers of the network stack, require reaching different states in the network protocol, and can be triggered by only 1-2 modifications to a single packet. We therefore propose a novel systematic testing framework that focuses on the transport and network layers, uses seeds that cover a network protocol's states, and systematically modifies packet fields. We evaluated this framework on 4 ENS and replicated 12 of the 14 reported IP/TCP/UDP vulnerabilities. On recent versions of these ENSs, it discovered 7 novel defects (6 assigned CVES) during a bounded systematic test that covered all protocol states and made up to 3 modifications per packet. We found defects in 3 of the 4 ENS we tested that had not been found by prior fuzzing research. Our results suggest that fuzzing should be deferred until after systematic testing is employed.Comment: 12 pages, 3 figures, to be published in the 38th IEEE/ACM International Conference on Automated Software Engineering (ASE 2023

A tale of two worlds:assessing the vulnerability of enclave shielding runtimes

status: publishe

Protecting Smart Devices from the Bottom-up

Modern systems are mainly composed of IoT devices and Smartphones.Most of these devices use ARM processors, which, along with flexiblelicensing, have new security architecture features, such as ARMTrustZone, that enables execution of a secure application in anuntrusted environment. Furthermore, with well-supported, extensible,open-source embedded operating systems like Android allows themanufactures to quickly customize their operating system with devicedrivers, thus reducing the time-to-market.Unfortunately, the proliferation of device vendors and race to the market has resulted in poor quality device drivers containing criticalsecurity vulnerabilities. Furthermore, the patches for thesevulnerabilities get merged into the end-products with a significantdelay resulting in the Patch Gap, which causes privacy andsecurity of billions of users to be at risk.In this dissertation, I will show how the new architecture features can leadto security issues by introducing new attack vectors.Second, I will show that the existing techniques are inadequate to find the security issues in Linux kernel drivers and how, with certain well-defined optimizations, we canprecisely find security issues.Third, I will present my solution to the problem of Patch Gap byshowing a principled approach to automatically port patches to vendor productrepositories.Finally, I will present our on-going work to automatically port C toChecked C, which provides a low overhead, backward-compatible, andmemory-safe C alternative that could be used on resource-constrained modern systems to prevent security vulnerabilities.Through this work, I presented effective ways to find, fix, propagate, and prevent vulnerabilities in modern system software, thus improving modern systems security

Protecting Smart Devices from the Bottom-Up

Modern systems are mainly composed of IoT devices and Smartphones. Most of these devices use ARM processors, which, along with flexible licensing, have new security architecture features, such as ARM TrustZone, that enables execution of a secure application in an untrusted environment. Furthermore, with well-supported, extensible, open-source embedded operating systems like Android allows the manufactures to quickly customize their operating system with device drivers, thus reducing the time-to-market. Unfortunately, the proliferation of device vendors and race to the market has resulted in poor quality device drivers containing critical security vulnerabilities. Furthermore, the patches for these vulnerabilities get merged into the end-products with a significant delay resulting in the Patch Gap, which causes privacy and security of billions of users to be at risk. In this dissertation, I will show how the new architecture features can lead to security issues by introducing new attack vectors. Second, I will show that the existing techniques are inadequate to find the security issues in Linux kernel drivers and how, with certain well-defined optimizations, we can precisely find security issues. Third, I will present my solution to the problem of Patch Gap by showing a principled approach to automatically port patches to vendor product repositories. Finally, I will present our on-going work to automatically port C to Checked C, which provides a low overhead, backward-compatible, and memory-safe C alternative that could be used on resource-constrained modern systems to prevent security vulnerabilities. Through this work, I presented effective ways to find, fix, propagate, and prevent vulnerabilities in modern system software, thus improving modern systems security

Dynodroid: An Input Generation System for Android Apps

We present a system Dynodroid for generating relevant inputs to unmodified Android apps. Dynodroid views an app as an event-driven program that interacts with its environment by means of a sequence of events through the Android framework. By instrumenting the framework once and for all, Dynodroid monitors the reaction of an app upon each event in a lightweight manner, using it to guide the generation of the next event to the app. Dynodroid also allows interleaving events from machines, which are better at generating a large number of simple inputs, with events from humans, who are better at providing intelligent inputs. We evaluated Dynodroid on 50 open-source Android apps, and compared it with two prevalent approaches: users manually exercising apps, and Monkey, a popular fuzzing tool. Dynodroid, humans, and Monkey covered 55%, 60%, and 53%, respectively, of each app’s Java source code on average. Monkey took 20X more events on average than Dynodroid. Dynodroid also found 9 bugs in 7 of the 50 apps, and 6 bugs in 5 of the top 1,000 free apps on Google Play. 1