Defending Embedded Systems with Software Symbiotes

  • Ang Cui
  • Salvatore J. Stolfo
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6961)


A large number of embedded devices on the internet, such as routers and VOIP phones, are typically ripe for exploitation. Little to no defensive technology, such as AV scanners or IDS’s, are available to protect these devices.We propose a host-based defense mechanism, which we call Symbiotic Embedded Machines (SEM), that is specifically designed to inject intrusion detection functionality into the firmware of the device. A SEM or simply the Symbiote, may be injected into deployed legacy embedded systems with no disruption to the operation of the device. A Symbiote is a code structure embedded in situ into the firmware of an embedded system. The Symbiote can tightly co-exist with arbitrary host executables in a mutually defensive arrangement, sharing computational resources with its host while simultaneously protecting the host against exploitation and unauthorized modification. The Symbiote is stealthily embedded in a randomized fashion within an arbitrary body of firmware to protect itself from removal. We demonstrate the operation of a generic whitelist-based rootkit detector Symbiote injected in situ into Cisco IOS with negligible performance penalty and without impacting the routers functionality. We present the performance overhead of a Symbiote on physical Cisco router hardware. A MIPS implementation of the Symbiote was ported to ARM and injected into a Linux 2.4 kernel, allowing the Symbiote to operate within Android and other mobile computing devices. The use of Symbiotes represents a practical and effective protection mechanism for a wide range of devices, especially widely deployed, unprotected, legacy embedded devices.


Symbiotic EmbeddedMachines Embedded Device Defense Cisco IOS Rootkit Detection 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Microsoft Corporation, Kernel Patch Protection: Frequently Asked Questions (2006),
  2. 2.
    Network Bluepill. (2008),
  3. 3.
    Chang, H., Atallah, M.J.: Protecting software code by guards. In: Sander, T. (ed.) DRM 2001. LNCS, vol. 2320, pp. 160–175. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Cui, A., Kataria, J., Stolfo, S.J.: Killing the myth of cisco ios diversity: Towards reliable, large-scale exploitation of cisco ios. In: USENIX Workshop on Offensive Technologies (August 2011)Google Scholar
  5. 5.
    Erlingsson, Ú., Abadi, M., Vrable, M., Budiu, M., Necula, G.C.: Xfi: Software guards for system address spaces. In: OSDI, pp. 75–88. USENIX Association (2006)Google Scholar
  6. 6.
    Ligati, et al.: Enforcing security policies with run-time program monitors. Princeton University, Princeton (2005)Google Scholar
  7. 7.
    Harbour, N.: Win at Reversing: API Tracing and Sandboxing Through Inline Hooking. In: BlackHat, USA (2009)Google Scholar
  8. 8.
    Kiamilev, F., Hoover, R.: Demonstration of Hardware Trojans. In: Defcon 16 (2008)Google Scholar
  9. 9.
    Krügel, C., Robertson, W.K., Vigna, G.: Detecting kernel-level rootkits through binary analysis. In: ACSAC, pp. 91–100. IEEE Computer Society, Los Alamitos (2004)Google Scholar
  10. 10.
    Felix ”FX” Linder. Cisco IOS Router Exploitation. In: BlackHat, USA (2009)Google Scholar
  11. 11.
    Lippmann, R., Kirda, E., Trachtenberg, A. (eds.): RAID 2008. LNCS, vol. 5230. Springer, Heidelberg (2008)Google Scholar
  12. 12.
    McLaughlin, S., Podkuiko, D., Delozier, A., Miadzvezhanka, S., McDaniel, P.: Embedded firmware diversity for smart electric meters. In: HotSec 2010 (2010)Google Scholar
  13. 13.
    Lynn, M.: Cisco IOS Shellcode. In: BlackHat, USA (2005)Google Scholar
  14. 14.
    Muniz, S.: Killing the myth of Cisco IOS rootkits: DIK. In: EUSecWest (2008)Google Scholar
  15. 15.
    Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In: Lippmann, et al. (eds.) [11], pp. 1–20Google Scholar
  16. 16.
    Roecher, D.-J., Thumann, M.: NAC Attack. In: BlackHat, USA (2007)Google Scholar
  17. 17.
    Skywing. Subverting PatchGuard Version 2, Uninformed 6 (2008)Google Scholar
  18. 18.
    Song, Y., Prahbu, P.V., Stolfo, S.J.: Smashing the stack with hydra: The many heads of advanced shellcode polymorphism. In: Defcon 17 (2009)Google Scholar
  19. 19.
    Vasisht, V.R., Lee, H.-H.S.: Shark: Architectural support for autonomic protection against stealth by rootkit exploits. In: MICRO, pp. 106–116. IEEE Computer Society, Los Alamitos (2008)Google Scholar
  20. 20.
    Ganesh, M.R.V., Leek, T.: Taint-based directed whitebox fuzzing. In: IEEE 31st International Conference on Software Engineering (2009)Google Scholar
  21. 21.
    Wa, R., Hunt, G., Hunt, G., Brubacher, D., Brubacher, D.: Detours: Binary interception of win32 functions. In: Proceedings of the 3rd USENIX Windows NT Symposium, pp. 135–143 (1998)Google Scholar
  22. 22.
    Wang, Z., Jiang, X., Cui, W., Wang, X.: Countering persistent kernel rootkits through systematic hook discovery. In: Lippmann, et al. (eds.) [11], pp. 21–38Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Ang Cui
    • 1
  • Salvatore J. Stolfo
    • 1
  1. 1.Department of Computer ScienceColumbia UniversityNew YorkUSA

Personalised recommendations