Runtime Integrity Checking for Exploit Mitigation on Lightweight Embedded Devices

  • Matthias Neugschwandtner
  • Collin Mulliner
  • William Robertson
  • Engin Kirda
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9824)


Entering the age of the Internet of things, embedded devices are everywhere. They are built using common hardware such as RISC-based ARM and MIPS platforms, and lightweight open software components. Because of their limited resources, such systems often lack the protection mechanisms that have been introduced to the desktop and server world. In this paper, we present BINtegrity, a novel approach for exploit mitigation that is specifically tailored towards embedded systems that are based on the common RISC architecture. BINtegrity leverages architectural features of RISC CPUs to extract a combination of static and dynamic properties relevant to OS service requests from executables, and enforces them during runtime. Our technique borrows ideas from several areas including system call monitoring, static analysis, and code emulation, and combines them in a low-overhead fashion directly in the operating system kernel. We implemented BINtegrity for the Linux operating system. BINtegrity is practical, and restricts the ability of attackers to exploit generic memory corruption vulnerabilities in COTS binaries. In contrast to other approaches, BINtegrity does not require access to source code, binary modification, or application specific configuration such as policies. Our evaluation demonstrates that BINtegrity incurs a very low overhead – only 2 % on whole system performance, – and shows that our approach mitigates both code injection and code reuse attacks.


System Call Integrity Check Runtime State Code Injection Check Level 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: ACM Conference on Computer and Communications Security (CCS) (2005)Google Scholar
  2. 2.
    Andersen, S., Abella, V.: Data Execution Prevention. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies (2004)Google Scholar
  3. 3.
    Baume, T.: Netcomm NB5 Botnet Psyb0t.
  4. 4.
    Cheng, Y., Zhou, Z., Yu, M., Ding, X., Deng, R.: ROPecker: a generic and practical approach for defending against ROP attacks. In: Network and Distributed System Security Symposium (NDSS) (2013)Google Scholar
  5. 5.
  6. 6.
    Davi, L., Hanreich, M., Paul, D., Sadeghi, A.R., Koeberl, P., Sullivan, D., Arias, O., Jin, Y.: HAFIX: Hardware-assisted flow integrity extension. In: Proceedings of the Annual Design Automation Conference (2015)Google Scholar
  7. 7.
    Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: IEEE Symposium on Security and Privacy (Oakland) (2003)Google Scholar
  8. 8.
    Goektas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: IEEE Symposium on Security and Privacy (Oakland) (2014)Google Scholar
  9. 9.
    Holcomb, J.: CVE-2013-465 Exploit.
  10. 10.
    Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the detection of anomalous system call arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2014)Google Scholar
  12. 12.
    McVoy, L., Staelin, C.: Lmbench: portable tools for performance analysis. In: USENIX Annual Technical Conference (USENIX ATC) (1996)Google Scholar
  13. 13.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Security Symposium (USENIX SEC) (2013)Google Scholar
  14. 14.
    Provos, N.: Improving host security with system call policies. In: USENIX Security Symposium (USENIX SEC) (2003)Google Scholar
  15. 15.
    Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: IEEE Symposium on Security and Privacy (Oakland) (2015)Google Scholar
  16. 16.
    Shu, X., Yao, D., Ramakrishnan, N.: Unearthing stealthy program attacks buried in extremely long execution paths. In: ACM SIGSAC Conference on Computer and Communications Security (CCS) (2015)Google Scholar
  17. 17.
    Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: IEEE Symposium on Security and Privacy (Oakland) (2013)Google Scholar
  18. 18.
  19. 19.
  20. 20.
    Vaughan, J.A., Hilton, A.D.: Paladin: Helping Programs Help Themselves with Internal System Call Interposition (2010)Google Scholar
  21. 21.
    van der Veen, V., Andriesse, D., Göktaş, E., Gras, B., Sambuc, L., Slowinska, A., Bos, H., Giuffrida, C.: Practical context-sensitive CFI. In: ACM Conference on Computer and Communications Security (CCS) (2015)Google Scholar
  22. 22.
    van der Veen, V., dutt-Sharma, N., Cavallaro, L., Bos, H.: Memory errors: the past, the present, and the future. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 86–106. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  23. 23.
    Wagner, D., Dean, D.: Intrusion detection via static analysis. In: IEEE Symposium on Security and Privacy (Oakland) (2001)Google Scholar
  24. 24.
    Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: ACM Conference on Computer and Communications Security (CCS) (2002)Google Scholar
  25. 25.
    Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: USENIX Security Symposium (USENIX SEC) (2013)Google Scholar
  26. 26.
    Zhou, Y., Wang, X., Chen, Y., Wang, Z.: ARMlock: hardware-based fault isolation for ARM. In: ACM Conference on Computer and Communications Security (CCS), November 2014Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Matthias Neugschwandtner
    • 1
    • 2
  • Collin Mulliner
    • 2
  • William Robertson
    • 2
  • Engin Kirda
    • 2
  1. 1.IBM Research ZurichRüschlikonSwitzerland
  2. 2.Northeastern UniversityBostonUSA

Personalised recommendations