Interrupt-oriented Bugdoor Programming: A minimalist approach to bugdooring embedded systems firmware

We demonstrate a simple set of interrupt-related vulnera- bility primitives that, despite being apparently innocuous, give attackers full control of a microcontroller platform. We then present a novel, minimalist approach to constructing deniable bugdoors for microcontroller firmware, and con- trast this approach with the current focus of exploitation re- search on demonstrations of maximum computational power that malicious computation can achieve. Since the intro- duction of Return-oriented programming, an ever-increasing number of targets have been demonstrated to unintention- ally yield Turing-complete computation environments to at- tackers controlling the target’s various input channels, un- der ever more restrictive sets of limitations. Yet although modern OS defensive measures indeed require complex com- putations to bypass, this focus on maximum expressive- ness of exploit programming models leads researchers to overlook other research directions for platforms that lack strong defensive measure but occur in mission-critical sys- tems, namely, microcontrollers. In these systems, common exploiter goals such as sensitive code and data exfiltration or arbitrary code execution do not typically require com- plex computation; instead, a minimal computation is pre- ferred and a simple set of vulnerability primitives typically suffices. We discuss examples of vulnerabilities and the new kinds of tools needed to avoid them in future firmware.

Author(s):

Sam Tan    
Dartmouth
United States

Sergey Bratus    
Dartmouth
United States

Travis Goodspeed    
Straw Hat
United States