Code injection attacks on harvard-architecture devices

TL;DR

This paper demonstrates a novel method for permanently injecting code into Harvard-architecture wireless sensors, enabling full control and potential network-wide malware propagation, challenging previous assumptions of injection impossibility.

Contribution

It introduces the first known technique for permanent code injection on Harvard-architecture devices, combining return-oriented programming and fake stack injection.

Findings

Successful remote code injection into Mica sensors

Ability to inject a propagating worm for sensor network control

Counter-measures are discussed to prevent such attacks

Abstract

Harvard architecture CPU design is common in the embedded world. Examples of Harvard-based architecture devices are the Mica family of wireless sensors. Mica motes have limited memory and can process only very small packets. Stack-based buffer overflow techniques that inject code into the stack and then execute it are therefore not applicable. It has been a common belief that code injection is impossible on Harvard architectures. This paper presents a remote code injection attack for Mica sensors. We show how to exploit program vulnerabilities to permanently inject any piece of code into the program memory of an Atmel AVR-based sensor. To our knowledge, this is the first result that presents a code injection technique for such devices. Previous work only succeeded in injecting data or performing transient attacks. Injecting permanent code is more powerful since the attacker can gain full control of the target sensor. We also show that this attack can be used to inject a worm that can propagate through the wireless sensor network and possibly create a sensor botnet. Our attack combines different techniques such as return oriented programming and fake stack injection. We present implementation details and suggest some counter-measures.