USENIX Enigma 2017 — Ghost in the Machine: Challenges in Embedded Binary Security

Jos Wetzels, Distributed and Embedded System Security (DIES) Group, University of Twente, Netherlands

Embedded systems are everywhere, from consumer electronics to critical infrastructure, vehicles, airplanes and military equipment. Yet public attention to security of embedded systems is relatively recent compared to that of the general purpose world. Combined with its polyculture of hardware architectures and operating systems and the proprietary and restricted nature of many systems and protocols, this has led to an opaque security landscape for both researchers and developers.

As a result embedded binary security generally lags behind what is commonly expected of modern general purpose systems. Hardening embedded systems via adoption of modern exploitation mitigations isn't, however, a trivial endeavor due to the many challenges and intrinsic constraints imposed by embedded environments. If we take into consideration the dominance of unsafe languages and the fact that patch deployment is far more involved on these systems, this is all the more reason for concern.

In this talk we will delve into the embedded ecosystem, present an overview of the state of embedded binary security and outline some of the challenges faced in the adoption of modern exploit mitigations, drawing upon our experiences during security research conducted into popular embedded OSes and our involvement in developing such mitigations for Industrial Control Systems.