A Segmented Stack Randomization for bare-metal IoT devices

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-01-24 DOI:10.1016/j.cose.2025.104342

Junho Jung , BeomSeok Kim , Heeseung Son , Daehee Jang , Ben Lee , Jinsung Cho

{"title":"A Segmented Stack Randomization for bare-metal IoT devices","authors":"Junho Jung , BeomSeok Kim , Heeseung Son , Daehee Jang , Ben Lee , Jinsung Cho","doi":"10.1016/j.cose.2025.104342","DOIUrl":null,"url":null,"abstract":"<div><div>Bare-metal IoT devices, lacking memory management features such as virtual memory and Memory Management Units (MMUs), are increasingly vulnerable to memory corruption attacks like buffer overflow and Return-Oriented Programming (ROP). To address these challenges, this paper proposes the Segmented Stack Randomization (SSR) scheme, a novel approach that enhances security by randomly allocating stack space across multiple segments during function calls. Designed to operate without additional hardware, the proposed SSR is highly suitable for resource-constrained IoT environments, particularly those requiring predictable execution times for real-time applications. The proposed SSR involves Low Level Virtual Machine (LLVM)-based code instrumentation, enabling seamless integration into finalized firmware without introducing debugging complexities. A proof-of-concept implementation on an ARM Cortex-M4 platform demonstrated that SSR provides robust protection against stack-based attacks with minimal performance overhead, averaging <span><math><mrow><mn>1</mn><mo>.</mo><mn>591</mn><mspace></mspace><mi>μ</mi><mi>s</mi></mrow></math></span>ec per function call. Additionally, the proposed SSR offers tunable trade-offs between memory usage and randomization entropy, ensuring adaptability to various application requirements. These results highlight the proposed SSR as a practical and efficient security solution for safeguarding bare-metal IoT devices against evolving threats.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104342"},"PeriodicalIF":4.8000,"publicationDate":"2025-01-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825000318","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Bare-metal IoT devices, lacking memory management features such as virtual memory and Memory Management Units (MMUs), are increasingly vulnerable to memory corruption attacks like buffer overflow and Return-Oriented Programming (ROP). To address these challenges, this paper proposes the Segmented Stack Randomization (SSR) scheme, a novel approach that enhances security by randomly allocating stack space across multiple segments during function calls. Designed to operate without additional hardware, the proposed SSR is highly suitable for resource-constrained IoT environments, particularly those requiring predictable execution times for real-time applications. The proposed SSR involves Low Level Virtual Machine (LLVM)-based code instrumentation, enabling seamless integration into finalized firmware without introducing debugging complexities. A proof-of-concept implementation on an ARM Cortex-M4 platform demonstrated that SSR provides robust protection against stack-based attacks with minimal performance overhead, averaging

1.591 μ s

ec per function call. Additionally, the proposed SSR offers tunable trade-offs between memory usage and randomization entropy, ensuring adaptability to various application requirements. These results highlight the proposed SSR as a practical and efficient security solution for safeguarding bare-metal IoT devices against evolving threats.

查看原文本刊更多论文

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.