Linux Attack Simulation Kit
Overview
Sternum Embedded Integrity Verification (EIV™) deterministically prevents certain code and memory manipulations in real-time to prevent entire classes of vulnerabilities from being exploited.
EIV provides blanket protection from most major threats, including all MITRE’s ‘Top 25 Most Dangerous Software Weaknesses’ in scope for IoT; command injections, execution flow manipulations, buffer overflows, and more. Its deterministic security model makes it equally effective for keeping devices safe from future threats, mitigating 0-day and 1-day threats, and reducing the need and costs for security patching.
Furthermore, EIV’s protection works automatically on third-party supply-chain code. Software supply chain vulnerabilities are among the most common threat vectors. EIV™ eliminates this risk by securing all running code, including 3rd-party libraries used for communication, encryption, authentication, OTA updates, and other device functions.
As part of a PoC, Sternum provides an Attack Simulation Kit, a first-of-its-kind kit dedicated to simulating and testing various attacks and exploitations that are common for embedded systems to evaluate the system readiness to tackle those threats, as well as evaluating the effectiveness of any security solution that might be deployed on the system.
For each vulnerability, there’s an associated CWE describing the general vulnerability type.
CWE refers to the types of software weaknesses, rather than specific instances of vulnerabilities within products or systems. Essentially, CWE is a 'dictionary' of software vulnerabilities, while
CVE is a list of known (publicly disclosed) instances of vulnerability for specific products or systems.
Sternum’s attack kit simulates a set of generic vector attacks associated with common CWEs. Using the kit, users can assess the Sternum effectiveness against entire families of vulnerabilities (known or zero-days).
Please note: the CWEs included in the kit are only a sample of what Sternum platform prevents and detects. The platform includes coverage for many additional types of threats that are currently not simulated in the kit.
Usage and CWE Mapping
The attack kit consists of a command that triggers the specified attacks on the local device.
Command usage
Run:
attack_simulation_kit <t> <a>
with the following parameters:
| <t> | <a> | Attack Type | Attack Details and associated CWE(s) |
|---|---|---|---|
| 1 | 1 | Heap memory attack | String copy causing memory corruption. String operation without length check that corrupts a function pointer field in a struct that is allocated on the heap.
|
| 1 | 2 | Heap memory attack | Memory copy without length check. Memory operation without length check resulting in a malicious code execution.
|
| 1 | 3 | Heap memory attack | Memory corruption across multiple functions. Memory operation without length check corrupts allocation referenced from multiple functions resulting in a malicious code execution.
|
| 1 | 4 | Heap memory attack | Gaining absolute write via multiple corruptions. |
| ? | ? | Heap memory attack | Memory corruption involving multiple structs on the heap resulting in gaining ability writing to an absolute address.
|
| ? | ? | Heap memory attack | Bad Alloc - heap overflow due to an int overflow of calloc total size
|
| 2 | 1 | Heap information leak | Memory leak without length check. Memory operation without length check leaking another information located in different allocation
|
| 2 | 2 | Heap information leak | Off by one corruption allows information leak. Off-by-one memory operation allows an attacker to change a field inside struct, this allows an attacker to change the amount of bytes read from the struct to and reading past the end of the struct
|
| 3 | 1 | Command injection | Simple command injection without sanitation. Command injection using snprintf format without sanitation CWE-78: Improper Neutralization of Special Elements used in an OS Command https://cwe.mitre.org/data/definitions/78.html |
| 3 | 2 | Command injection | No sanitation across multiple functions. Command injection using snprintf format without sanitation with multiple function calls CWE-78: Improper Neutralization of Special Elements used in an OS Command https://cwe.mitre.org/data/definitions/78.html |
| 3 | 3 | Command injection | Mix of multiple parameter types. Command injection using snprintf format with different parameters types CWE-78: Improper Neutralization of Special Elements used in an OS Command https://cwe.mitre.org/data/definitions/78.html |
| 3 | 4 | Command injection | Improper sanitation bypass. CWE-78: Improper Neutralization of Special Elements used in an OS Command https://cwe.mitre.org/data/definitions/78.html |
| 4 | 1 | Stack memory attack | Stack memory copy without length check. Memory operation without length check resulting in a malicious code execution.
|
Running a heap memory attack
- If the device is not protected against that attack, the process will crash with segmentation fault or illegal instruction message.
- If the device is protected, the process would exit without any print.
- If the device is connected, you can see the information about the attack attempt on the Sternum Platform.
Running a heap information leak
- If the device is not protected against that attack, the password would be printed to the screen.
- If the device is protected, the process would exit without any print.
- If the device is connected, you can see the information about the attack attempt on the Sternum Platform.
Running a command injection attack
- If the device is not protected against that attack, the content of the /etc/shadow file will be printed to the screen.
- If the device is protected with Sternum's protection, the command injection will fail, showing usage/syntax errors.
- If the device is connected, you can see the information about the attack attempt on the Sternum Platform.
Running a stack memory attack
- If the device is not protected against that attack, the the binary should crash and "stack smashing detected" will be printed to the screen.
- If the device is protected by using the appropriate compiler flag, the process would exit without any print.
- If the device is connected, you can see the information about the attack attempt on the Sternum Platform.