1. Secure Execution: IoT Devices Workshop on IoT Security 11th Sept 2018
Sandeep Kumar Dr. Smruti R. Sarangi Indian Institute of Technology, New Delhi

2. Introduction

3. IOT Devices IOT devices are everywhere Handles sensitive Data
Limited power and compute capabilities !!
As we know IOT devices are now everywhere.
They handle all kind of the data, including sensitive data such as medical data, home information etc.
As Professors Ranjan bose said, Google Home, Alexa knows us too well, like when we wake up when we eat breakfast, when we go to bed etc.
These
Hence security of these data, is of utmost importance

4. Aim Ensure control flow integrity of the program
Prove software methods alone are not enough
Need hardware support
General design of Hardware assisted security

5. Attack Vector
Trace Example:
  402f67:       84 c0                   test   %al,%al
  402f69:       0f 84 e3 fe ff ff       je     402e52 <_ZN4iitd2ac2in14ClientSoftware9check_licEJvPN4java4lang6Str
  402f6f:       e9 b5 fe ff ff          jmpq   402e29 <_ZN4iitd2ac2in14ClientSoftware9check_licEJvPN4java4lang6Str
  402f74:       48 83 fa 02             cmp    $0x2,%rdx
  402f78:       74 08                   je     402f82 <_ZN4iitd2ac2in14ClientSoftware9check_licEJvPN4java4lang6Str
  402f7a:       48 89 c7                mov    %rax,%rdi
  402f7d:       e8 ee f7 ff ff          callq 
  402f82:       48 8b 40 f8             mov    -0x8(%rax),%rax
  402f86:       48 8b f bc 00    mov    0xbc5f73(%rip),%rax        re_10_ref.2097>
  402f8d:       48 85 c0                test   %rax,%rax
  402f90:       0f 94 c0                sete   %al
  402f93:       84 c0                   test   %al,%al
  402f95:       0f 84 5b ff ff ff       je     402ef6 <_ZN4iitd2ac2in14ClientSoftware9check_licEJvPN4java4lang6Str
  402f9b:       e9 2d ff ff ff          jmpq   402ecd <_ZN4iitd2ac2in14ClientSoftware9check_licEJvPN4java4lang6Str
  402fa0:       48 83 ec 80             sub    $0xffffffffffffff80,%rsp
  402fa4:       5b                      pop    %rbx
  402fa5:       41 5c                   pop    %r12
  402fa7:       5d                      pop    %rbp
  402fa8:       c3                      retq
Attacks based on source code (obtained using declassification)
Code obfuscation techniques prevent such attacks.
Attacks based on trace of a binary
Code obfuscation cannot prevent such attacks.
Critical region can be figured out
Control flow violation

6. License Checking
Security

7. Sample: License Check License Managers
Init
License Managers
Based on cryptographic guarantees.
These can be local or server based
License check is done at the start of the execution
If passed, run in full mode
If this fails
Close the app, or
Run with limited features.
Check License
Valid License?
Yes No
Continue
Crash 7

8. Is this Enough? Toy example, attacks on:​ License3j​ [3]
License-Manager [4]

9. Instruction Based Attack: CFDA (Control Flow Data Analysis)
The basic idea is to run the code once with a valid license file, and then with an invalid one.
See the difference in the trace (instructions executed)
Most likely it will be a call or jump instruction.
Force it to take the correct path.
Init
Check?
Invalid License
Valid Licese
Crash
Continue
Assumption:
Either we have access to the source code or we have the valid license file. 9

10. Instruction Based Attack: CGA (Call Graph Alteration)
The basic idea is to get a trace of the binary execution with an invalid license.
See all the branch instructions like call and jump statements.
Skip functions or groups of instructions that encapsulate the license check function.
Eventually we will correctly elide the license check function.
Init
Check
Invalid License
Crash
Normal Run
Assumptions:
No access to the source code and a valid license file. 10

11. Code Obfuscation
Prevention

12. Code Obfuscation
Obfuscated Code 12
Normal Code

13. Is Code Obfuscation Enough?
Trace based attack still works
Trace same, as the output is same.
Purpose of code obfuscation is to make reverse engineering difficult
We need access to the source code to run code obfuscator.

14. Impact of Binary Size Attacks relies on trace of the binary execution.
For binaries with size larger than ~20 MB, total number of possible unexplored path increases exponentially.

15. Call Graphs
Trace of the execution binary can be represented as a graph.
Nnodes are the functions and edges are function calls from one function to another.
This forms a very specific pattern in the call graph. 15
Green node is the call to the License Check function, which in turns
calls the library function represented by the red node
Blue node represents the function which does the work after the
license check has been completed.

16. Structural Difference between Graphs [2]
Calculating the Difference Map:
If the one-to-one correspondence between the nodes of the graphs needs to be computed, the problem is known to be NP-complete.
if Node 1 and Node 2 have a labeling, such that a node in Graph 1 is the same as a node in Graph 2, if and only if, their labels are equal, then computing a difference map can be done efficiently.

17. Graph based Analysis [1]
Representation of Function Nodes
Functional Call Graph with External Nodes
Key Observations:
1. Each node in the graph can be uniquely identified using its properties.
2. External functions are not in the binary but is called using dynamically linked libraries. 17

18. Control Flow Graph Analysis
Difference Map b/w Correct and Incorrect Execution
Possible Jump targets:
0x to 0x402fa9
0x9e4030 to 0x402fa9
0x9e7f30 to 0x402fa9
0x9f49d0 to 0x402fa9
0x to 0x402fa9
0x9ef1b8 to 0x402fa9
0x9ef1fa to 0x402fa9
0x9e84a0 to 0x402fa9
This breaks the security of our toy example.

19. Graph Analysis without the Correct License
Pattern detection from Call Graph.
Calls made to the license check function will not be frequent.
Mostly in the beginning.
Given a labeled graph, find the sub graph which not frequented much.
Algorithms like:
SigGram
Clustering algorithms can be used to detect these subgraphs.

20. Control Flow Graph Analysis
Extra calls made when the code was executed using the correct license file, and when using the JUMP from
0x9e84a0 to 0x402fa9

21. Better… Prevention

22. Protection against Instruction Jump

23. Protection against Instruction Jump attacks
Profiling:
Profile the binary to create a valid set of jump or call locations.
Represent this information in a compressed format
Dynamic Monitoring
During the execution, verify the correctness
At every call and jump instruction
After a fixed interval
Performance hits
Context of IOT devices
Due to limited computer capability, implementation of these algorithms are limited.
Need Hardware support.

24. Future Directions External Functions analysis. Production binaries.
Function graphs can be used as a security measure also, as a malware execution will be captured in the graph and that can be used to detect the malware.
A hardware level prevention scheme.
Future Directions

25. Thank You.
References:
[1] Rajeswaran, Deebiga, "Function Call Graph Score for Malware Detection" (2015). Master's Projects. 445. 
[2] Daniel Archambault Structural differences between two graphs through hierarchies. In Proceedings of Graphics Interface 2009 (GI '09). Canadian Information Processing Society, Toronto, Ont., Canada, Canada,
[3]  25