Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

DAEDALUS: Defense Against Firmware ROP Exploits Using Stochastic Software Diversity

Islam Obaidat, Meera Sridhar, Fatemeh Tavakoli

TL;DR

DAEDalus tackles the pervasive problem of return-oriented programming (ROP) exploits in Linux-based IoT firmware by generating multiple, semantically equivalent but syntactically distinct rewrites of input binaries. The framework extends STOKE with block-level diversification, automated localized data-flow analysis, and AFL++-driven test-case generation to produce rewrites that preserve functionality while disrupting attacker knowledge of gadget layouts. It identifies security-critical blocks (Type R and Type M) for targeted diversification, builds rewrites at the basic-block level, and validates resistance to ROP and memory-error–driven DDoS attacks in a realistic DDoSim setup. Results indicate that diversifying Type R blocks—especially with at least two rewrites—can effectively halt ROP-based exploitation, reducing botnet activation and DDoS impact, while maintaining minimal binary size overhead. The work offers a practical, hardware-agnostic defense for IoT ecosystems deployed at scale, with concrete plans to broaden experiments and formalize rewrite equivalence.

Abstract

This paper presents DAEDALUS, a software diversity-based framework designed to resist ROP attacks on Linux-based IoT devices. DAEDALUS generates unique, semantically equivalent but syntactically different rewrites of IoT firmware, disrupting large-scale replication of ROP attacks. DAEDALUS employs STOKE, a stochastic optimizer for x86 binaries, as its core diversity engine but introduces significant extensions to address unique IoT firmware challenges. DAEDALUS's effectiveness is evaluated using DDoSim, a published botnet DDoS attack simulation testbed. Results demonstrate that DAEDALUS successfully neutralizes ROP payloads by diversifying critical basic blocks in the firmware, preventing attackers from compromising multiple devices for DDoS attacks via memory error vulnerabilities. The findings indicate that DAEDALUS not only mitigates the impact of ROP attacks on individual IoT devices through probabilistic protection but also thwarts large-scale ROP attacks across multiple devices.

DAEDALUS: Defense Against Firmware ROP Exploits Using Stochastic Software Diversity

TL;DR

DAEDalus tackles the pervasive problem of return-oriented programming (ROP) exploits in Linux-based IoT firmware by generating multiple, semantically equivalent but syntactically distinct rewrites of input binaries. The framework extends STOKE with block-level diversification, automated localized data-flow analysis, and AFL++-driven test-case generation to produce rewrites that preserve functionality while disrupting attacker knowledge of gadget layouts. It identifies security-critical blocks (Type R and Type M) for targeted diversification, builds rewrites at the basic-block level, and validates resistance to ROP and memory-error–driven DDoS attacks in a realistic DDoSim setup. Results indicate that diversifying Type R blocks—especially with at least two rewrites—can effectively halt ROP-based exploitation, reducing botnet activation and DDoS impact, while maintaining minimal binary size overhead. The work offers a practical, hardware-agnostic defense for IoT ecosystems deployed at scale, with concrete plans to broaden experiments and formalize rewrite equivalence.

Abstract

This paper presents DAEDALUS, a software diversity-based framework designed to resist ROP attacks on Linux-based IoT devices. DAEDALUS generates unique, semantically equivalent but syntactically different rewrites of IoT firmware, disrupting large-scale replication of ROP attacks. DAEDALUS employs STOKE, a stochastic optimizer for x86 binaries, as its core diversity engine but introduces significant extensions to address unique IoT firmware challenges. DAEDALUS's effectiveness is evaluated using DDoSim, a published botnet DDoS attack simulation testbed. Results demonstrate that DAEDALUS successfully neutralizes ROP payloads by diversifying critical basic blocks in the firmware, preventing attackers from compromising multiple devices for DDoS attacks via memory error vulnerabilities. The findings indicate that DAEDALUS not only mitigates the impact of ROP attacks on individual IoT devices through probabilistic protection but also thwarts large-scale ROP attacks across multiple devices.
Paper Structure (21 sections, 4 figures, 2 tables)

This paper contains 21 sections, 4 figures, 2 tables.

Table of Contents

  1. Introduction
  2. DAEDalus Overview.
  3. Adversarial Model.
  4. Security-Critical Basic Block Selection
  5. Type R Basic Blocks.
  6. Type M Basic Blocks.
  7. Rewrites Synthesis
  8. Basic Block-level Synthesis.
  9. Localized Data Flow Analysis.
  10. Fuzz-Based Test Case Generation.
  11. Disassembling and Reassembling IoT Firmware Binaries.
  12. Evaluation
  13. Research Questions.
  14. Experimental Setup.
  15. Results: Discovered Type R and Type M Blocks.
  16. ...and 6 more sections

Figures (4)

  • Figure 1: DAEDalus Workflow
  • Figure 2: Example of diversification error in conditional jump
  • Figure 3: Example of an unreliable test case generated randomly
  • Figure 4: Results of diversifying Type R rewrites