Code Injection Attacks on Harvard-Architecture Devices

[Nytro]

Code Injection Attacks on Harvard-Architecture Devices

Aurélien Francillon

INRIA Rhône-Alpes

655 avenue de l’Europe, Montbonnot

38334 Saint Ismier Cedex, France

aurelien.francillon@inria.fr

Claude Castelluccia

INRIA Rhône-Alpes

655 avenue de l’Europe, Montbonnot

38334 Saint Ismier Cedex, France

claude.castelluccia@inria.fr

ABSTRACT

Harvard architecture CPU design is common in the embed-

ded world. Examples of Harvard-based architecture devices

are the Mica family of wireless sensors. Mica motes have

limited memory and can process only very small packets.

Stack-based buer over

ow techniques that inject code into

the stack and then execute it are therefore not applicable. It

has been a common belief that code injection is impossible

on Harvard architectures. This paper presents a remote code

injection attack for Mica sensors. We show how to exploit

program vulnerabilities to permanently inject any piece of

code into the program memory of an Atmel AVR-based sen-

sor. To our knowledge, this is the rst result that presents

a code injection technique for such devices. Previous work

only succeeded in injecting data or performing transient at-

tacks. Injecting permanent code is more powerful since the

attacker can gain full control of the target sensor. We also

show that this attack can be used to inject a worm that can

propagate through the wireless sensor network and possibly

create a sensor botnet. Our attack combines dierent tech-

niques such as return oriented programming and fake stack

injection. We present implementation details and suggest

some counter-measures.

Download:

www.inrialpes.fr/planete/people/ccastel/PAPERS/CCS08.pdf