Securing Embedded Devices by Enforcing Lowest Privilege Execution

Research Areas: Cyber-Physical Systems

Principal Investigator: Saurabh Bagchi

With more than 9 billion embedded processors in use today, the number of embedded devices has surpassed the number of humans. With the rise of the “Internet of Things” (IoT), the number of embedded devices and their connectivity are exploding. These “things” include fitness trackers, smart light bulbs, smart thermostats, home assistants, utility smart meters, and smart locks. The increasing network connectivity coupled with the ubiquity of these devices makes securing IoT systems a critical task. Evidence of the dangers of insecure IoT systems abounds. For example, in 2016, hijacked smart devices like CCTV cameras and digital video recorders launched the largest distributed denial of service attack to date.

Many of these devices are low cost with software running directly on the hardware, known as “bare-metal systems.” The application runs as privileged, low-level software with direct access to the resources of the microcontroller (µC) and its peripherals. Unlike desktop systems, there are no intervening operating system software layers to control access to the resources in a secure manner. Making matters worse, embedded systems largely lack protection against code injection, control-flow hijacking, and data corruption attacks.

We are improving the security for bare-metal embedded and IoT systems through the design of a privilege overlay that restricts the privileges and capabilities of different regions of the application to the lowest necessary to perform intended operations. Our innovations instantiated in a system called ACES can be applied without needing application modification and with limited user annotations, to indicate what denotes security-critical operations, thus easing the application of ACES to legacy embedded applications. We have achieved this through three interlocking tasks:

  • New static and dynamic analyses to identify security and functionality characteristics of each part of the application;
  • New runtime techniques that enforce the desired security properties while minimizing the performance impact; and
  • New security metrics and benchmarks that accurately measure the security and performance impacts of defense mechanisms for embedded systems.

We demonstrate the benefits of ACES through realistic applications developed in five domains on actual hardware—smart homes, wearables, smart cities, transportation, and industrial control systems.


Other PIs: Mathias Payer Abraham Clements

Representative Publications

  • Naif Saleh Almakhdhub (Purdue and King Saud University), Abraham A Clements (Sandia National Labs), Saurabh Bagchi, and Mathias Payer (EPFL), “μRAI: Return Address Integrity for Embedded Systems,” At the Network and Distributed System Security Symposium (NDSS), pp. 1–18, February 23-26, 2020, San Diego, CA.

  • Abraham A. Clements (Purdue & Sandia), Eric Gustafson (UCSB), Tobias Scharnowski (Ruhr University Bochum), Paul Grosen (UCSB), David Fritz (Sandia), Christopher Kruegel (UCSB), Giovanni Vigna (UCSB), Saurabh Bagchi, and Mathias Payer (EPFL), “HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation,” Accepted to appear at the 29th USENIX Security Symposium (Usenix Sec), pp. 1-18, Aug 12-14, 2020, Boston, MA.

  • Naif Almakhdhub, Abraham Clements, Mathias Payer and Saurabh Bagchi, “BenchIoT: A benchmark for the things in the Internet of Things,” At the 49th IEEE/IFIP International Symposium on Dependable Systems and Networks (DSN), pp. 234-246, June 24-27, 2019, Portland, OR.

  • Abraham A. Clements, Naif S. Almakhdhub, Saurabh Bagchi, and Mathias Payer, "ACES: Automatic Compartments for Embedded Systems," In Proceedings of the 27th USENIX Security Symposium (USENIX Sec ’18), pp. 65−82, Aug 15−17, 2018, Baltimore, MD.

  • Abraham A Clements, Naif Saleh Almakhdhub, Khaled Saab, Prashast Srivastava, Jinkyu Koo, Saurabh Bagchi, and Mathias Payer, “Protecting Bare-metal Embedded Systems with Privilege Overlays,” In Proceedings of the IEEE International Symposium on Security and Privacy (Oakland), pp. 289-303, May 22-26, 2017, San Jose, California.

Keywords: embedded system, least privilege execution, microcontroller security