Umbra: Embedded Web Security Through Application-Layer Firewalls

  • Travis Finkenauer
  • J. Alex Halderman
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9588)


Embedded devices with web interfaces are prevalent, but, due to memory and processing constraints, implementations typically make use of Common Gateway Interface (CGI) binaries written in low-level, memory-unsafe languages. This creates the possibility of memory corruption attacks as well as traditional web attacks. We present Umbra, an application-layer firewall specifically designed for protecting web interfaces in embedded devices. By acting as a “friendly man-in-the-middle,” Umbra can protect against attacks such as cross-site request forgery (CSRF), information leaks, and authentication bypass vulnerabilities. We evaluate Umbra’s security by analyzing recent vulnerabilities listed in the CVE database from several embedded vendors and find that it would have prevented half of the vulnerabilities. We also show that Umbra comfortably runs within the constraints of an embedded system while incurring minimal performance overhead.


Embedded security Firewall Web security 



This material is based upon work supported by a gift from Super Micro Computer, Inc. We would particularly like to thank Arun Kalluri, Joe Tai, Linda Wu, Mars Yang, Tau Leng, and Charles Liang from Supermicro. Additional support was provided by the National Science Foundation under grants CNS-1345254, CNS-1409505, and CNS-1518888.


  1. 1.
    Apache Software Foundation: ab–Apache HTTP server benchmarking tool, April 2015.
  2. 2.
    AppArmor Security Project: Getting Started, September 2011.
  3. 3.
    Barracuda Networks: Barracuda web application firewall (2015).
  4. 4.
    Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: 15th ACM Conference on Computer and Communications Security, pp. 75–88. CCS (2008)Google Scholar
  5. 5.
    Bigg, R., et al.: Ruby on Rails security guide (2015).
  6. 6.
    Bonkoski, A., Bielawski, R., Halderman, J.A.: Illuminating the security issues surrounding lights-out server management. In: 7th USENIX Workshop on Offensive Technologies. WOOT (2013)Google Scholar
  7. 7.
    Bosman, E., Slowinska, A., Bos, H.: Minemu: the world’s fastest taint tracker. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 1–20. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  8. 8.
  9. 9.
  10. 10.
  11. 11.
    Cisco Systems: Home network administration protocol (HNAP) whitepaper, January 2009.
  12. 12.
    Coen, T.: Bypass CSRF via XSS. Software talk, March 2015.
  13. 13.
    Cowan, C., et al.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: 7th USENIX Security Symposium (1998)Google Scholar
  14. 14.
    D-Link: DIR-645: Rev. Ax–Command injection–Buffer overflow: FW 1.04b12, January 2015.
  15. 15.
    Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programming attacks. In: 6th ACM Symposium on Information, Computer, and Communications Security, pp. 40–51. ASIACCS (2011)Google Scholar
  16. 16.
  17. 17.
    Django Software Foundation: Cross site request forgery protection (2015).
  18. 18.
    Doyle, J.: Lorex IP camera authentication bypass (CVE-2012-6451), December 2012.
  19. 19.
    Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: 22nd USENIX Security Symposium (2013)Google Scholar
  20. 20.
    epoll(7): process trace. Linux Programmer’s ManualGoogle Scholar
  21. 21.
    Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: HTTP authentication: basic and digest access authentication. RFC 2617 (Draft Standard), June 1999, updated by RFC 7235.
  22. 22.
    Fu, K., Blum, J.: Inside risks: controlling for cybersecurity risks of medical device software. Commun. ACM 56(10), 21–23 (2013)CrossRefGoogle Scholar
  23. 23.
    Ghena, B., Beyer, W., Hillaker, A., Pevarnek, J., Halderman, J.A.: Green lights forever: analyzing the security of traffic infrastructure. In: 8th USENIX Workshop on Offensive Technologies. WOOT (2014)Google Scholar
  24. 24.
    Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: detection of widespread weak keys in network devices. In: 21st USENIX Security Symposium, August 2012Google Scholar
  25. 25.
    Hewlett-Packard: HP Jetdirect print servers–Using Telnet to configure the HP Jetdirect print server.
  26. 26.
    Hewlett-Packard: HP embedded web server user guide, August 2007.
  27. 27.
    Hewlett-Packard: TippingPoint next-generation firewall (NGFW) technical specifications (2015).
  28. 28.
    Internet Security Research Group: Let’s Encrypt (2015).
  29. 29.
  30. 30.
    Joyent: HTTP parser, April 2015. Scholar
  31. 31.
    Ketkar, C.: Standard versus proprietary security protocols. Justice League Blog, May 2014.
  32. 32.
    Klein, G., et al.: seL4: Formal verification of an OS kernel. In: 22nd Symposium on Operating Systems Principles. pp. 207–220. SOSP, October 2009Google Scholar
  33. 33.
    Kneschke, J.: Lighttpd: Fly light, March 2014.
  34. 34.
    Lafon, Y., Mendelsohn, N., Karmarkar, A., Nielsen, H.F., Hadley, M., Gudgin, M., Moreau, J.J.: SOAP version 1.2 part 2: Adjuncts (2nd edn.). W3C recommendation, April 2007.
  35. 35.
    Leroy, X., Blazy, S., Dargaye, Z., Jourdan, J.H., Tristan, J.B.: CompCert, June 2015.
  36. 36.
    Lewis, D.: Security and the Internet of Things. Forbes, September 2014.
  37. 37.
    Linksys: GPL code center (2014).
  38. 38.
    Medin, T.: Invasion of the network snatchers: Part I. SANS Penetration Testing, May 2013.
  39. 39.
    MITRE Corporation: CVE-2014-4645, June 2014.
  40. 40.
    MITRE Corporation: Common vulnerabilities and exposures, April 2015.
  41. 41.
    Moore, H.D.: Penetration tester’s guide to IPMI and BMCs. Rapid7Community, July 2013.
  42. 42.
    Nachreiner, C.: H.D. Moore unveils major UPnP security vulnerabilities. WatchGuard Security Center, January 2013.
  43. 43.
    Open Crypto Audit Project: Welcome to the Open Crypto Audit Project, June 2014.
  44. 44.
    OpenSSL Project: Welcome to the OpenSSL project (2015).
  45. 45.
    OpenWRT Project: Web server configuration uHTTPd (2014).
  46. 46.
    Orchard, D., McCabe, F., Newcomer, E., Haas, H., Ferris, C., Booth, D., Champion, M.: Web services architecture. W3C note, February 2004.
  47. 47.
    PCI Security Standards Council: Payment Card Industry (PCI) data security standard requirements and security assessment procedures version 3.1, April 2015.
  48. 48.
    Rectanus, B.: IronBee reference manual (2014).
  49. 49.
    Rocha, M., Riva, N., Falcon, F., Santamaria, P.: D-Link IP cameras multiple vulnerabilities, April 2013.
  50. 50.
    Rosenblatt, S.: Car hacking code released at Defcon. CNET, August 2013.
  51. 51.
    Rust Core Team: The Rust programming language.
  52. 52.
    Rust Core Team: Announcing Rust 1.0. Rust Programming Language Blog, May 2015.
  53. 53.
  54. 54.
    Spengler, B.: Grsecurity ACL documentation v1.5, April 2003.
  55. 55.
    Supermicro: Supermicro intelligent management (2015).
  56. 56.
    Trustwave SpiderLabs: ModSecurity: Open source web application firewall (2015).
  57. 57.
    Wagle, P., Cowan, C.: StackGuard: simple stack smash protection for GCC. In: GCC Developers Summit, pp. 243–255, May 2003Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.University of MichiganAnn ArborUSA

Personalised recommendations