A staggering number of Internet-of-Things (IoT) devices harbor intrinsic security vulnerabilities in firmware. Memory errors especially predominate as a potent category among these vulnerabilities. Memory errors not only permit remote attackers to achieve Turing-complete access to compromised IoT devices but also provide a means to orchestrate massive Distributed Denial-of-Service (DDoS) attacks, capable of destabilizing even the most resilient Internet infrastructures. Standard protection techniques against memory errors, such as ASLR, can be easily bypassed, undermining their effectiveness. While certain advanced defense measures, such as software diversity and control-flow integrity, have been adapted for IoT devices, their constraints and associated overheads often render them impractical for deployment in real-world IoT devices.
This dissertation presents a holistic approach to securing memory error vulnerabilities in IoT firmware as four research thrusts: (1) we investigate remote attack strategies that exploit memory error vulnerabilities in ARM and x86 IoT firmware in the presence of standard software defenses such as DEP and ASLR; we also demonstrate man-in-the-middle attack strategies on actual IoT devices using tools such as Wi-Fi Pineapple; (2) we build and validate a testbed capable of hosting real-world IoT binaries in a simulated network, for deploying authentic DDoS scenarios; (3) we develop an IoT software diversity defense technique to resist memory error exploits; our technique generates multiple, semantically equivalent, syntactically distinct variations of IoT firmware that thwart mass duplication of identical firmware, thereby making it more challenging for attackers to deduce implementation details (crucial for memory error exploits) of any of these firmware binaries; and (4) we create cybersecurity educational modules for undergraduate and graduate students for teaching memory error exploit and defense techniques; we deploy our modules in multiple sections of an undergraduate introductory cybersecurity course at UNC Charlotte and analyze data collected through surveys on learning outcomes, engagement and experience.