Dandan Xu,Kai Chen,Miaoqian Lin,Chaoyang Lin,XiaoFeng Wang

DOI: https://doi.org/10.1109/tifs.2023.3322319

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Capture-the-flag (CTF) competitions have become highly successful in security education, and heap corruption is considered one of the most difficult and rewarding challenges due to its complexity and real-world impact. However, developing a heap exploit is a challenging task that often requires significant human involvement to manipulate memory layouts and bypass security checks. To facilitate the exploitation of heap corruption, existing solutions develop automated systems that rely on manually crafted patterns to generate exploits. Such manual patterns tend to be specific, which limits their flexibility to cope with the evolving exploit techniques. To address this limitation, we explore the problem of the automatic summarization of exploit patterns. We leverage an observation that public attack artifacts provide key insights into heap exploits. Based upon this observation, we develop AutoPwn, the first artifact-assisted AEG system that automatically summarizes exploit patterns from artifacts of known heap exploits and uses them to guide the exploitation of new programs. Considering the diversity of programs and exploits, we propose to use a novel Exploitation State Machine (ESM), with generic states and transitions to model the exploit patterns, and then efficiently construct it through combining the dynamic monitoring of exploits and the semantic analysis of their text descriptions. We implement a prototype of AutoPwn and evaluate it on 96 testing CTF binaries. The results show that AutoPwn produces 22 successful exploits and 13 partial exploits, preliminarily demonstrating its efficacy.

Zhongyu Pei,Xingman Chen,Songtao Yang,Haixin Duan,Chao Zhang

DOI: https://doi.org/10.1109/tdsc.2022.3191693

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Acquiring and analyzing exploits, which take advantage of vulnerabilities to conduct malicious actions, are crucial for victims (and defenders) when responding to system compromising incidents. However, exploits are sensitive and valuable assets that are not available to victims. The most common resource available for victims to investigate is network traffic, which covers the exploitation period. Thus reconstructing exploits from network traffic is demanded. In practice, the reconstruction process is performed manually, thus inefficient and non-scalable. In this article, we present an automated solution TAICHI to reconstruct exploits from network traffic, able to generate replica exploits and facilitate timely incident analysis. By nature, a working exploit has to satisfy (1) path constraints which ensure the program path same as the original exploit's is explored and the same vulnerability is triggered, and (2) exploit constraints which ensure the same exploitation strategy is applied, e.g., to bypass deployed defenses or to stitch multiple gadgets together. We propose a hybrid solution to this problem by integrating techniques including multi-version execution (MVE), dynamic taint analysis (DTA), and concolic execution. We have implemented a prototype of TAICHI on x86 and x86-64 Linux and tested it on the Cyber Grand Challenge (CGC) dataset, several Capture the Flag (CTF) challenges, and Metasploit exploit modules targeting real world applications. The evaluation results showed that TAICHI could reconstruct exploits efficiently with a high success rate. Moreover, it could be applied to production environments without disrupting running services, and could reconstruct exploits even if only one round of exploitation traffic is available.

Ryan Holeman,John Hastings,Varghese Mathew Vaidyan

2024-06-10

Abstract:As emerging software vulnerabilities continuously threaten enterprises and Internet services, there is a critical need for improved security research capabilities. This paper introduces the Security Exploit Telemetry Collection (SETC) framework - an automated framework to generate reproducible vulnerability exploit data at scale for robust defensive security research. SETC deploys configurable environments to execute and record rich telemetry of vulnerability exploits within isolated containers. Exploits, vulnerable services, monitoring tools, and logging pipelines are defined via modular JSON configurations and deployed on demand. Compared to current manual processes, SETC enables automated, customizable, and repeatable vulnerability testing to produce diverse security telemetry. This research enables scalable exploit data generation to drive innovations in threat modeling, detection methods, analysis techniques, and remediation strategies. The capabilities of the framework are demonstrated through an example scenario. By addressing key barriers in security data generation, SETC represents a valuable platform to support impactful vulnerability and defensive security research.

Cryptography and Security

Yan Wang,Chao Zhang,Xiaobo Xiang,Zixuan Zhao,Wen-Jie Li,Xiaojing Gong,Bingchang Liu,Kaixiang Chen,Wei Zou

DOI: https://doi.org/10.1145/3243734.3243847

2018-01-01

Abstract:Automatic exploit generation is an open challenge. Existing solutions usually explore in depth the crashing paths, i.e., paths taken by proof-of-concept (POC) inputs triggering vulnerabilities, and generate exploits when exploitable states are found along the paths. However, exploitable states do not always exist in crashing paths. Moreover, existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation. In addition, few solutions could exploit heap-based vulnerabilities. In this paper, we propose a new solution revery to search for exploitable states in paths diverging from crashing paths, and generate control-flow hijacking exploits for heap-based vulnerabilities. It adopts three novel techniques:(1) a digraph to characterize a vulnerability's memory layout and its contributor instructions;(2) a fuzz solution to explore diverging paths, which have similar memory layouts as the crashing paths, in order to search more exploitable states and generate corresponding diverging inputs;(3) a stitch solution to stitch crashing paths and diverging paths together, and synthesize EXP inputs able to trigger both vulnerabilities and exploitable states. We have developed a prototype of revery based on the binary analysis engine angr, and evaluated it on a set of 19 real world CTF (capture the flag) challenges. Experiment results showed that it could generate exploits for 9 (47%) of them, and generate EXP inputs able to trigger exploitable states for another 5 (26%) of them.

Ruipeng Wang,Kaixiang Chen,Zulie Pan,Yuwei Li,Qianyu Li,Yang Li,Min Zhang,Chao Zhang

DOI: https://doi.org/10.1016/j.cose.2022.102995

2023-01-01

Abstract:Assessing the exploitability of vulnerabilities is critical for defenders. But the vulnerability-triggering samples available for analysts often do not trigger exploitable states, making it hard to accurately assess whether the underlying vulnerabilities are exploitable. Several customized fuzzing solutions have been proposed to address this problem, by searching for new vulnerability-triggering test cases that can enter exploitable program states. However, such solutions are inefficient and in general take an overwhelmingly long time to find exploitable states, due to the large number of program paths to explore and complicated path constraints to satisfy. In this paper, we present a new automated solution Tunter to assess the exploitability of vulnerabilities. It could explore exploitable program states and generate working exploits, even if only non-exploitable vulnerability-triggering samples are given. It adopts two novel techniques: (1) a taint-guided exploration procedure to explore candidate exploitable states; and (2) a pruning mechanism to prune unwanted states for exploitation to alleviate the state explosion issue faced by symbolic execution. We have implemented a prototype of Tunter and evaluated it on 14 capture-the-flag (CTF) programs and two real-world applications. The experimental results demonstrate that it has significant performance than state-of-the-art solution Revery (Wang et al., 2018). Specifically, it finds exploitable states for these 16 programs with a 75% recall and an 88.9% precision, and eventually generates working exploits for 11 out of these 16 programs. Moreover, Tunter is 41.02 times faster than Revery.

computer science, information systems

Zheng Yang,Degang Sun,Yan Wang,Xinbo Han,Chen Meng,Weiqing Huang

DOI: https://doi.org/10.1109/trustcom60117.2023.00370

2024-01-01

Abstract:In the evolution process of cyberattack-defense confrontation, both sides have always been in a state of mutual confrontation and collaborative development, continuously upgrading their tools to improve adversarial capabilities. However, in this arms race, the positions of the both sides are imbalanced. As the party actively initiating the attack, attackers always is able to actively adjust the attack strategy based on the detected defense vulnerabilities to launch effective attacks. While the defenders always detecting defense vulnerabilities after suffering losses and filling them in a "patching" manner. This post awareness security protection strategy has a "fatal time difference" when dealing with unknown attacks. This paper aims to change the imbalanced state. Therefore, a attack confrontation model DTrap is proposed based on the concept of moving target defense, which introduce of high simulation trap hosts to achieve IP address and service port confusion. It can simulate real hosts to achieve various common network protocol requests and responses, and it can provide better dynamism than Honeypot when adjusting trap policies. DTrap can reverse the imbalance situation by increasing attack costs and promoting attack difficulty. We constructed a real adversarial environment, the security effectiveness of the DTrap model was evaluated through comprehensive and multi-dimensional experiments. The results indicate that DTrap can exert expected effectiveness in resisting network attacks of different dimensions, and effectively enhance the network attack confrontation ability.

Feng Xiao,Enhong Chen,Qiang Xu,Xianguo Zhang

DOI: https://doi.org/10.1155/2021/7525092

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:Considering that the attacks against the industrial control system are mostly organized and premeditated actions, IP traceback is significant for the security of the industrial control system. Based on the infrastructure of the internet, we have developed a novel malicious IP traceback model, ICSTrace, without deploying any new services. The model extracts the function codes and their parameters from the attack data according to the format of the industrial control protocol and employs a short sequence probability method to transform the function codes and their parameters into a vector, which characterizes the attack pattern of malicious IP addresses. Furthermore, a partial seeded K-means algorithm is proposed for the pattern’s clustering, which helps in tracing the attacks back to an organization. ICSTrace is evaluated based on the attack data captured by the large-scale deployed honeypots for the industrial control system, and the results demonstrate that ICSTrace is effective on malicious IP traceback in the industrial control system.

Yixin Wu,Cheng Huang,Xing Zhang,Hongyi Zhou

DOI: https://doi.org/10.1155/2020/8842539

IF: 1.968

2020-01-01

Security and Communication Networks

Abstract:As Advanced Persistent Threat (APT) becomes increasingly frequent around the world, security experts are starting to look at how to observe, predict, and mitigate the damage from APT attacks. In the meantime, the Internet of things devices are also risky and heavily exposed to the Internet, making them more easily used by hacker organizations to launch APT attacks. An excellent attacker can take down millions of Internet of things devices in a short time. Once the IoT botnet is built, attackers can use it to launch complex attacks which could damage Internet infrastructure and cause network disconnection. This paper proposes GroupTracer, a framework for observing and predicting the Internet of things attacks. GroupTracer is designed to automatically extract the TTP profiles (i.e., tactics, techniques, and procedures) that can describe the behavior of attackers through their tactics, techniques, and processes and dig out the potential attacker groups behind complex attacks. Firstly, it captures attacks by IoT honeypots and extracts relevant fields from logs. Then, attack behaviors are automatically mapped to the ATT&CK framework to achieve automatic TTP profiles extraction. After that, GroupTracer presents four feature groups, including TTP profiles, Time, IP, and URL features, a total of 18 features, mines potential attack groups through hierarchical clustering algorithm, and compares the clustering results with two baseline algorithms. As the ground truth labels are unknown, we apply three internal validation indexes to evaluate the cluster quantity. Experimental results showed that the proposed framework has achieved an excellent performance in exploiting potential groups as the Calinski–Harabasz index reaches 3416.93. Eventually, attack trees are generated for each cluster where nodes indicate attack commands and edges represent command sequences. These attack trees could help better understand each attack group’s actions and techniques.

Jiaping Gui,Ding Li,Zhengzhang Chen,Junghwan Rhee,Xusheng Xiao,Mu Zhang,Kangkook Jee,Zhichun Li,Haifeng Chen

DOI: https://doi.org/10.1109/ICDE48307.2020.00151

2020-01-01

Abstract:While backtracking analysis has been successful in assisting the investigation of complex security attacks, it faces a critical dependency explosion problem. To address this problem, security analysts currently need to tune backtracking analysis manually with different case-specific heuristics. However, existing systems fail to fulfill two important system requirements to achieve effective backtracking analysis. First, there need flexible abstractions to express various types of heuristics. Second, the system needs to be responsive in providing updates so that the progress of backtracking analysis can be frequently inspected, which typically involves multiple rounds of manual tuning. In this paper, we propose a novel system, APTrace, to meet both of the above requirements. As we demonstrate in the evaluation, security analysts can effectively express heuristics to reduce more than 99.5% of irrelevant events in the backtracking analysis of real-world attack cases. To improve the responsiveness of backtracking analysis, we present a novel execution-window partitioning algorithm that significantly reduces the waiting time between two consecutive updates (especially, 57 times reduction for the top 1% waiting time).

Feng Xiao,Qiang Xu

DOI: https://doi.org/10.48550/arXiv.1912.12828

2019-12-30

Cryptography and Security

Abstract:Considering the attacks against industrial control system are mostly organized and premeditated actions, IP traceback is significant for the security of industrial control system. Based on the infrastructure of the Internet, we have developed a novel malicious IP traceback model-ICSTrace, without deploying any new services. The model extracts the function codes and their parameters from the attack data according to the format of industrial control protocol, and employs a short sequence probability method to transform the function codes and their parameter into a vector, which characterizes the attack pattern of malicious IP addresses. Furthermore, a Partial Seeded K-Means algorithm is proposed for the pattern's clustering, which helps in tracing the attacks back to an organization. ICSTrace is evaluated basing on the attack data captured by the large-scale deployed honeypots for industrial control system, and the results demonstrate that ICSTrace is effective on malicious IP traceback in industrial control system.

Zhongru Wang,Yuntao Zhang,Zhihong Tian,Qiang Ruan,Tong Liu,Haichen Wang,Zhehui Liu,Jiayi Lin,Binxing Fang,Wei Shi

DOI: https://doi.org/10.3390/s19153362

IF: 3.9

2019-01-01

Sensors

Abstract:Recently, automated software vulnerability detection and exploitation in Internet of Things (IoT) has attracted more and more attention, due to IoT's fast adoption and high social impact. However, the task is challenging and the solutions are non-trivial: the existing methods have limited effectiveness at discovering vulnerabilities capable of compromising IoT systems. To address this, we propose an Automated Vulnerability Discovery and Exploitation framework with a Scheduling strategy, AutoDES that aims to improve the efficiency and effectiveness of vulnerability discovery and exploitation. In the vulnerability discovery stage, we use our Anti-Driller technique to mitigate the "path explosion" problem. This approach first generates a specific input proceeding from symbolic execution based on a Control Flow Graph (CFG). It then leverages a mutation-based fuzzer to find vulnerabilities while avoiding invalid mutations. In the vulnerability exploitation stage, we analyze the characteristics of vulnerabilities and then propose to generate exploits, via the use of several proposed attack techniques that can produce a shell based on the detected vulnerabilities. We also propose a genetic algorithm (GA)-based scheduling strategy (AutoS) that helps with assigning the computing resources dynamically and efficiently. The extensive experimental results on the RHG 2018 challenge dataset and the BCTF-RHG 2019 challenge dataset clearly demonstrate the effectiveness and efficiency of the proposed framework.

Yan Wang,Wei Wu,Chao Zhang,Xinyu Xing,Xiaorui Gong,Wei Zou

DOI: https://doi.org/10.1186/s42400-019-0028-9

2019-01-01

Abstract:Exploitability assessment of vulnerabilities is important for both defenders and attackers. The ultimate way to assess the exploitability is crafting a working exploit. However, it usually takes tremendous hours and significant manual efforts. To address this issue, automated techniques can be adopted. Existing solutions usually explore in depth the crashing paths, i.e., paths taken by proof-of-concept (PoC) inputs triggering vulnerabilities, and assess exploitability by finding exploitable states along the paths. However, exploitable states do not always exist in crashing paths. Moreover, existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation. In this paper, we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit. Technically, we utilize oriented fuzzing to explore diverging paths from vulnerability point. For userspace programs, we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit. For kernel UAF, we leverage a lightweight symbolic execution to identify, analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities. We have developed a prototype system and evaluated it on a set of 19 CTF (capture the flag) programs and 15 realworld Linux kernel UAF vulnerabilities. Experiment results showed it could generate exploit for most of the userspace test set, and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.

Georgel Savin,Ammar Asseri,Josiah Dykstra,Jonathan Goohs,Anthony Melarano,William Casey

DOI: https://doi.org/10.1145/3607505.3607524

2023-07-20

Abstract:Industry standard frameworks are now widespread for labeling the high-level stages and granular actions of attacker and defender behavior in cyberspace. While these labels are used for atomic actions, and to some extent for sequences of actions, there remains a need for labeled data from realistic full-scale attacks. This data is valuable for better understanding human actors' decisions, behaviors, and individual attributes. The analysis could lead to more effective attribution and disruption of attackers. We present a methodological approach and exploratory case study for systematically analyzing human behavior during a cyber offense/defense capture-the-flag (CTF) game. We describe the data collection and analysis to derive a metric called keystroke accuracy. After collecting players' commands, we label them using the MITRE ATT&CK framework using a new tool called Pathfinder. We present results from preliminary analysis of participants' keystroke accuracy and its relation to score outcome in CTF games. We describe frequency of action classification within the MITRE ATT&CK framework and discuss some of the mathematical trends suggested by our observations. We conclude with a discussion of extensions for the methodology, including performance evaluation during games and the potential use of this methodology for training artificial intelligence.

Cryptography and Security

Ziming Zhao,Zhaoxuan Li,Zhuoxue Song,Wenhao Li,Fan Terry Zhang

DOI: https://doi.org/10.1145/3589334.3645407

2024-01-01

Abstract:To detect unknown attack traffic, anomaly-based network intrusion detection systems (NIDSs) are widely used in Internet infrastructure. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with (i) fine-grained emerging attack detection and (ii) incremental updates/adaptations. To tackle these problems, we propose to decouple the need for model capabilities by transforming known/new class identification issues into multiple independent one-class learning tasks. Based on the above core ideas, we develop Trident, a universal framework for fine-grained unknown encrypted traffic detection. It consists of three main modules, i.e., tSieve, tScissors, and tMagnifier are used for profiling traffic, determining outlier thresholds, and clustering respectively, each of which supports custom configuration. Using four popular datasets of network traces, we show that Trident significantly outperforms 16 state-of-the-art (SOTA) methods. Furthermore, a series of experiments (concept drift, overhead/parameter evaluation) demonstrate the stability, scalability, and practicality of Trident.

Chris Chapman,Scott Knight,Tom Dean

DOI: https://doi.org/10.48550/arXiv.1410.4304

2014-10-16

Cryptography and Security

Abstract:This paper identifies an intrusion surveillance framework which provides an analyst with the ability to investigate and monitor cyber-attacks in a covert manner. Where cyber-attacks are perpetrated for the purposes of espionage the ability to understand an adversary's techniques and objectives are an important element in network and computer security. With the appropriate toolset, security investigators would be permitted to perform both live and stealthy counter-intelligence operations by observing the behaviour and communications of the intruder. Subsequently a more complete picture of the attacker's identity, objectives, capabilities, and infiltration could be formulated than is possible with present technologies. This research focused on developing an extensible framework to permit the covert investigation of malware. Additionally, a Universal Serial Bus (USB) Mass Storage Device (MSD) based covert channel was designed to enable remote command and control of the framework. The work was validated through the design, implementation and testing of a toolset.

Zhi Liu,Xiaosong Zhang,Xiongda Li

DOI: https://doi.org/10.1109/mines.2010.108

2010-01-01

Abstract:Software vulnerability is the major root of security issues which results in serious attacks such as DDOS and worms. How to find vulnerability especially on binaries has been an alluring but challenging topic. Traditional black-box fuzzing heavily relies on input format so that it cannot work on unknown formats, more severely, it cannot generate effective test cases because it randomly change input values. Therefore, fuzzing is rarely effective in real-world circumstances. Information flow tracking, namely taint analysis, has been used in recent years in attack detection and malware analysis but no prior work has used this technique to actively find software vulnerability on binaries. In this paper, we propose a novel approach to find software vulnerability via dynamic tainting consisting of three steps. First execute target program with a seed input being independent of input format. Then identify relevant bytes by back tracking from vulnerability points, defined as dangerous library or system calls, to the original input. Finally generate new test cases by mutating relevant bytes while irrelevant parts remain unchanged. It guarantees that new inputs are able to divert execution flow to vulnerability points. We implemented the system in Windows and evaluated two real-world vulnerabilities. Compared with black-box fuzzing, experiment results show our approach can generate effective test inputs to expose vulnerabilities in short time, which also incurs low overhead.

Yan Wang,Chao Zhang,Xiaobo Xiang,Zixuan Zhao,Bingchang Liu,Wenjie Li,Xiaorui Gong,Kaixiang Chen,Wei Zou

DOI: https://doi.org/10.1145/3243734.3243847

2018-01-01

Abstract:Automatic exploit generation is an open challenge. Existing solutions usually explore in depth the crashing paths, i.e., paths taken by proof-of-concept (PoC) inputs triggering vulnerabilities, and generate exploits when exploitable states are found along the paths. However, exploitable states do not always exist in crashing paths. Moreover, existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation. In addition, few solutions could exploit heap-based vulnerabilities.In this paper, we propose a new solution Revery to search for exploitable states in paths diverging from crashing paths, and generate control-flow hijacking exploits for heap-based vulnerabilities. It adopts three novel techniques: (1) a layout-contributor digraph to characterize a vulnerability's memory layout and its contributor instructions; (2) a layout-oriented fuzzing solution to explore diverging paths, which have similar memory layouts as the crashing paths, in order to search more exploitable states and generate corresponding diverging inputs; (3) a control-flow stitching solution to stitch crashing paths and diverging paths together, and synthesize EXP inputs able to trigger both vulnerabilities and exploitable states.We have developed a prototype of Revery based on the binary analysis engine angr, and evaluated it on a set of 19 CTF (capture the flag) programs. Experiment results showed that it could generate exploits for 9 (47%) of them, and generate EXP inputs able to trigger exploitable states for another 5 (26%) of them.

Zhang Siyu,Jiang Kaida

DOI: https://doi.org/10.13245/j.hust.161102

2016-01-01

Abstract:Restricted by the scanning engines ,existing vulnerability management systems suffer limi‐tations in extensibility and performance .A platform for automated vulnerability tracking was pro‐posed ,which allowed unified management of vulnerabilities from all sources .Every vulnerability was associated with a script for fix verification ,and the multi‐process task scheduler performed frequent retests in parallel ,whose performance could be further improved with a distributed deployment .As exit code was used to indicate the test results ,vulnerability test scripts could be written in any execut‐able programming language ,and could be shared by similar vulnerabilities .Open data interfaces were developed to allow integration of this platform with other IT asset and workflow management sys‐tems .There are already two successful deployments of this platform ,and the result shows that it can effectively speed up the process of vulnerability remediation .

Xiangkun Jia,Chao Zhang,Purui Su,Yi Yang,Huafeng Huang,Dengguo Feng

2017-01-01

Abstract:Heap overflow is a prevalent memory corruption vulnerability, playing an important role in recent attacks. Finding such vulnerabilities in applications is thus critical for security. Many state-of-art solutions focus on runtime detection, requiring abundant inputs to explore program paths in order to reach a high code coverage and luckily trigger security violations. It is likely that the inputs being tested could exercise vulnerable program paths, but fail to trigger (and thus miss) vulnerabilities in these paths. Moreover, these solutions may also miss heap vulnerabilities due to incomplete vulnerability models.In this paper, we propose a new solution HOTracer to discover potential heap vulnerabilities. We model heap overflows as spatial inconsistencies between heap allocation and heap access operations, and perform an indepth offline analysis on representative program execution traces to identify heap overflows. Combining with several optimizations, it could efficiently find heap overflows that are hard to trigger in binary programs. We implemented a prototype of HOTracer, evaluated it on 17 real world applications, and found 47 previously unknown heap vulnerabilities, showing its effectiveness.

Adam Caulfield,Antonio Joia Neto,Norrathep Rattanavipanon,Ivan De Oliveira Nunes

2024-09-28

Abstract:Control Flow Attestation (CFA) offers a means to detect control flow hijacking attacks on remote devices, enabling verification of their runtime trustworthiness. CFA generates a trace (CFLog) containing the destination of all branching instructions executed. This allows a remote Verifier (Vrf) to inspect the execution control flow on a potentially compromised Prover (Prv) before trusting that a value/action was correctly produced/performed by Prv. However, while CFA can be used to detect runtime compromises, it cannot guarantee the eventual delivery of the execution evidence (CFLog) to Vrf. In turn, a compromised Prv may refuse to send CFLog to Vrf, preventing its analysis to determine the exploit's root cause and appropriate remediation actions. In this work, we propose TRACES: TEE-based Runtime Auditing for Commodity Embedded Systems. TRACES guarantees reliable delivery of periodic runtime reports even when Prv is compromised. This enables secure runtime auditing in addition to best-effort delivery of evidence in CFA. TRACES also supports a guaranteed remediation phase, triggered upon compromise detection to ensure that identified runtime vulnerabilities can be reliably patched. To the best of our knowledge, TRACES is the first system to provide this functionality on commodity devices (i.e., without requiring custom hardware modifications). To that end, TRACES leverages support from the ARM TrustZone-M Trusted Execution Environment (TEE). To assess practicality, we implement and evaluate a fully functional (open-source) prototype of TRACES atop the commodity ARM Cortex-M33 micro-controller unit.

Cryptography and Security