WESS 2012: Perimeter-Crossing Buses: a New Attack Surface for Embedded Systems
At the 7th Workshop on Embedded Systems Security (WESS 2012), we presented a paper co-authored with myself and researchers at the Dartmouth Trust Lab. You can read a copy of the paper here. Perhaps our abstract gives you the best overview:
Any channel crossing the perimeter of a system provides an attack surface to the adversary. Standard network interfaces, such as TCP/IP stacks, constitute one such channel, and security researchers and exploit developers have invested much effort into exploring the attack surfaces and defenses there. However, channels such as USB have been overlooked, even though such code is at least as complexly layered as a network stack, and handles even more complex structures; drivers are notorious as a breeding ground of bugs copy-pasted from boilerplate sample code.
This paper maps out the bus-facing attack surface of a modern operating system, and demonstrates that effective and effcient injection of traffic into the buses is real and easily affordable. Further, it presents a simple and inexpensive hardware tool for the job, outlining the architectural and computation-theoretic challenges to creating a defensive OS/driver architecture comparable to that which has been achieved for network stacks.
S. Bratus, T. Goodspeed, P. Johnson, S.W. Smith, R. Speers. “Perimeter-Crossing Buses: a New Attack Surface for Embedded Systems.” 7th Workshop on Embedded Systems Security (WESS 2012). October 2012. To appear.