TY - GEN
T1 - Building Embedded Systems Like It's 1996
AU - Yu, Ruotong
AU - Del Nin, Francesca
AU - Zhang, Yuchen
AU - Huang, Shan
AU - Kaliyar, Pallavi
AU - Zakto, Sarah
AU - Conti, Mauro
AU - Portokalidis, Georgios
AU - Xu, Jun
N1 - Publisher Copyright:
© 2022 29th Annual Network and Distributed System Security Symposium, NDSS 2022. All Rights Reserved.
PY - 2022
Y1 - 2022
N2 - Embedded devices are ubiquitous. However, preliminary evidence shows that attack mitigations protecting our desktops/servers/phones are missing in embedded devices, posing a significant threat to embedded security. To this end, this paper presents an in-depth study on the adoption of common attack mitigations on embedded devices. Precisely, it measures the presence of standard mitigations against memory corruptions in over 10k Linux-based firmware of deployed embedded devices. The study reveals that embedded devices largely omit both user-space and kernel-level attack mitigations. The adoption rates on embedded devices are multiple times lower than their desktop counterparts. An equally important observation is that the situation is not improving over time. Without changing the current practices, the attack mitigations will remain missing, which may become a bigger threat in the upcoming IoT era. Throughout follow-up analyses, we further inferred a set of factors possibly contributing to the absence of attack mitigations. The exemplary ones include massive reuse of non-protected software, lateness in upgrading outdated kernels, and restrictions imposed by automated building tools. We envision these will turn into insights towards improving the adoption of attack mitigations on embedded devices in the future.
AB - Embedded devices are ubiquitous. However, preliminary evidence shows that attack mitigations protecting our desktops/servers/phones are missing in embedded devices, posing a significant threat to embedded security. To this end, this paper presents an in-depth study on the adoption of common attack mitigations on embedded devices. Precisely, it measures the presence of standard mitigations against memory corruptions in over 10k Linux-based firmware of deployed embedded devices. The study reveals that embedded devices largely omit both user-space and kernel-level attack mitigations. The adoption rates on embedded devices are multiple times lower than their desktop counterparts. An equally important observation is that the situation is not improving over time. Without changing the current practices, the attack mitigations will remain missing, which may become a bigger threat in the upcoming IoT era. Throughout follow-up analyses, we further inferred a set of factors possibly contributing to the absence of attack mitigations. The exemplary ones include massive reuse of non-protected software, lateness in upgrading outdated kernels, and restrictions imposed by automated building tools. We envision these will turn into insights towards improving the adoption of attack mitigations on embedded devices in the future.
UR - http://www.scopus.com/inward/record.url?scp=85149174953&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85149174953&partnerID=8YFLogxK
U2 - 10.14722/ndss.2022.24031
DO - 10.14722/ndss.2022.24031
M3 - Conference contribution
AN - SCOPUS:85149174953
T3 - 29th Annual Network and Distributed System Security Symposium, NDSS 2022
BT - 29th Annual Network and Distributed System Security Symposium, NDSS 2022
T2 - 29th Annual Network and Distributed System Security Symposium, NDSS 2022
Y2 - 24 April 2022 through 28 April 2022
ER -