This Article 
 Bibliographic References 
 Add to: 
Self-Healing Control Flow Protection in Sensor Applications
July/August 2011 (vol. 8 no. 4)
pp. 602-616
Christopher Ferguson, Texas State University - San Marcos, San Marcos
Qijun Gu, Texas State University - San Marcos, San Marcos
Since sensors do not have a sophisticated hardware architecture or an operating system to manage code for safety, attacks injecting code to exploit memory-related vulnerabilities can present threats to sensor applications. In a sensor's simple memory architecture, injected code can alter the control flow of a sensor application to either misuse existing routines or download other malicious code to achieve attacks. To protect the control flow, this paper proposes a self-healing scheme that can stop attacks from exploiting the control flow and then recover sensor applications to normal operations with minimum overhead. The self-healing scheme embeds diversified protection code at particular locations to enforce access control in code memory. Both the access control code and the recovery code are designed to be resilient to control flow attacks that attempt to evade the protection. Furthermore, the self-healing scheme directly processes application code at the machine instruction level, instead of performing control or data analysis on source code. The implementation and evaluation show that the self-healing scheme is lightweight in protecting sensor applications.

[1] A. One, “Smashing the Stack for Fun and Profit,” Phrack Magazine, http://www.phrack.comissues.html?issue=49&id= 14#article , 1996.
[2] T. Newsham, “Format String Attacks,” http://muse.linuxmafia. org/lost+foundformat-string-attacks.pdf , 2001.
[3] M. Zalewski, “Remote Vulnerability in SSH Daemon CRC32 Compression Attack Detector,” 2001adv-ssh1crc.cfm, 2001.
[4] A nonymous, “Once upon a Free(),” Phrack Magazine, http://www.phrack.comissues.html?issue=57&id=9#article , 2001.
[5] M. Kaempf, “Vudo Malloc Tricks,” Phrack Magazine, http://www.phrack.comissues.html?issue=57&id=8#article , 2001.
[6] Nergal, “The Advanced Return-Into-Lib(c) Exploits (PaX Case Study),” Phrack Magazine, http://www.phrack.orgissues. html?issue=58&id=4#article , 2001.
[7] “Mantis,” http:/, 2011.
[8] “TinyOS,” http:/, 2011.
[9] D. Gay, P. Levis, R.v. Behren, M. Welsh, E. Brewer, and D. Culler, “The NesC Language: A Holistic Approach to Networked Embedded Systems,” Proc. ACM SIGPLAN Conf. Programming Language Design and Implementation, pp. 1-11, 2003.
[10] J. Regehr, N. Cooprider, W. Archer, and E. Eide, “Memory Safety and Untrusted Extensions for TinyOS,” technical report, 2006.
[11] R. Kumar, E. Kohler, and M. Srivastava, “Harbor: Software-Based Memory Protection for Sensor Nodes,” Proc. ACM Int'l Conf. Information Processing in Sensor Networks (IPSN), pp. 340-349, 2007.
[12] Y. Chen, O. Gnawali, M. Kazandjieva, P. Levis, and J. Regehr, “Surviving Sensor Network Software Faults,” Proc. ACM Symp. Operating Systems Principles (SOSP), pp. 235-246, 2009.
[13] A. Smirnov and T. Chiueh, “DIRA: Automatic Detection, Identification and Repair of Control-Data Attacks,” Proc. Ann. Network and Distributed System Security Symp., 2005.
[14] C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna, “Automating Mimicry Attacks Using Static Binary Analysis,” Proc. USENIX Security Symp., 2005.
[15] S. Chen, J. Xu, E. Sezer, P. Gauriar, and R. Iyer, “Non-Control-Data Attacks Are Realistic Threats,” Proc. USENIX Security Symp., 2005.
[16] Q. Gu and R. Noorani, “Towards Self-Propagate Mal-Packets in Sensor Networks,” Proc. ACM Conf. Wireless Network Security (WISec), 2008.
[17] A. Francillon and C. Castelluccia, “Code Injection Attacks on Harvard-Architecture Devices,” Proc. ACM Conf. Computer and Comm. Security (CCS), pp. 15-26, 2008.
[18] C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, “Automatic Detection and Prevention of Buffer-Overflow Attacks,” Proc. USENIX Security Symp., 1998.
[19] H. Etoh and K. Yoda, “ProPolice: Improved Stack-Smashing Attack Detection,” IPSJ SIGNotes Computer SECurity, ssp, 2001.
[20] PAX “PaX Address Space Layout Randomization (ASLR),”, 2011.
[21] S. Bhatkar, D. DuVarney, and R. Sekar, “Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits,” Proc. USENIX Security Symp., 2003.
[22] C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning, “Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software,” Proc. Ann. Computer Security Applications Conf. (ACSAC), pp. 339-348, 2006.
[23] L. Tan, X. Zhang, X. Ma, W. Xiong, and Y. Zhou, “AutoISES: Automatically Inferring Security Specifications and Detecting Violations,” Proc. USENIX Security Symp., pp. 379-394, 2008.
[24] P. Akritidis, M. Costa, M. Castro, and S. Hand, “Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors,” Proc. USENIX Security Symp., 2009.
[25] C. Kruegel, W. Robertson, F. Valeur, and G. Vigna, “Static Disassembly of Obfuscated Binaries,” Proc. USENIX Security Symp., 2004.
[26] H. Xu, W. Du, and S. Chapin, “Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths,” Proc. Symp. Recent Advances in Intrusion Detection, 2004.
[27] M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham, “Vigilante: End-to-End Containment of Internet Worms,” Proc. ACM Symp. Operating Systems Principles (SOSP), 2005.
[28] J. Newsome and D. Song, “Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software,” Proc. Network and Distributed Systems Security Symp. (NDSS), 2005.
[29] M. Dalton, H. Kannan, and C. Kozyrakis, “Real-World Buffer Overflow Protection for Userspace & Kernelspace,” Proc. USENIX Security Symp., pp. 395-410, 2008.
[30] X. Wang, C.-C. Pan, P. Liu, and S. Zhu, “SigFree: A Signature-Free Buffer Overflow Attack Blocker,” Proc. USENIX Security Symp., 2006.
[31] C. Willems, T. Holz, and F. Freiling, “Toward Automated Dynamic Malware Analysis Using CWSandbox,” IEEE Security and Privacy, vol. 5, no. 2, pp. 32-39, Mar./Apr. 2007.
[32] A. Dinaburg, P. Royal, M. Sharif, and W. Lee, “Ether: Malware Analysis via Hardware Virtualization Extensions,” Proc. ACM Conf. Computer and Comm. Security (CCS), pp. 51-62, 2008.
[33] B. Yee, D. Sehr, G. Dardyk, J.B. Chen, R. Muth, T. Orm, S. Okasaka, N. Narula, N. Fullagar, and G. Inc, “Native Client: A Sandbox for Portable, Untrusted x86 Native Code,” Proc. IEEE Symp. Security and Privacy, pp. 79-93, 2009.
[34] W. Xu, S. Bhatkar, and R. Sekar, “Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks,” Proc. USENIX Security Symp., pp. 121-136, 2006.
[35] W. Chang, B. Streiff, and C. Lin, “Efficient and Extensible Security Enforcement Using Dynamic Data Flow Analysis,” Proc. ACM Conf. Computer and Comm. Security (CCS), pp. 39-50, 2008.
[36] V. Kiriansky, D. Bruening, and S.P. Amarasinghe, “Secure Execution via Program Shepherding,” Proc. USENIX Security Symp., pp. 191-206, 2002.
[37] M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, “Control-Flow Integrity,” Proc. ACM Conf. Computer and Comm. Security (CCS), pp. 340-353, 2005.
[38] P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro, “Preventing Memory Error Exploits with WIT,” Proc. IEEE Symp. Security and Privacy, pp. 263-277, 2008.
[39] N. Cooprider, W. Archer, E. Eide, D. Gay, and J. Regehr, “Efficient Memory Safety for TinyOS,” Proc. ACM Int'l Conf. Embedded Networked Sensor Systems (SenSys), pp. 205-218, 2007.
[40] L. Gu and J.A. Stankovic, “T-Kernel: Providing Reliable OS Support to Wireless Sensor Networks,” Proc. ACM Int'l Conf. Embedded Networked Sensor Systems (SenSys), pp. 1-14, 2006.
[41] “ATmega128,” asp?part-id=2018 , 2011.
[42] C. Linn and S. Debray, “Obfuscation of Executable Code to Improve Resistance to Static Disassembly,” Proc. ACM Conf. Computer and Comm. Security (CCS), 2003.
[43] E.G. Barrantes, D.H. Ackley, T.S. Palmer, D. Stefanovic, and D.D. Zovi, “Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks,” Proc. ACM Conf. Computer and Comm. Security (CCS), pp. 281-289, 2003.
[44] N. Sovarel, D. Evans, and N. Paul, “Where's the FEEB?: The Effectiveness of Instruction Set Randomization,” Proc. USENIX Security Symp., 2005.
[45] Y. Yang, S. Zhu, and G. Cao, “Improving Sensor Network Immunity under Worm Attacks: A Software Diversity Approach,” Proc. ACM Int'l Symp. Mobile Ad Hoc Networking and Computing (MobiHoc), pp. 149-158, 2008.
[46] P. Levis, “TinyOS Programming Manual,” http://www.tinyos. net/tinyos-2.x/doc/pdf tinyos-programming.pdf, 2006.
[47] “AVR Studio 4,” http://www.atmel.comavrstudio, 2011.

Index Terms:
Sensor application, control flow, access control, self healing, TinyOS, software security.
Christopher Ferguson, Qijun Gu, "Self-Healing Control Flow Protection in Sensor Applications," IEEE Transactions on Dependable and Secure Computing, vol. 8, no. 4, pp. 602-616, July-Aug. 2011, doi:10.1109/TDSC.2011.15
Usage of this product signifies your acceptance of the Terms of Use.