Probabilistic Analysis of Code-Reuse Attacks and Defenses in IoT

  • Ho, Jun-Won (Department of Information Security Seoul Women's University)
  • Received : 2016.12.22
  • Accepted : 2017.01.20
  • Published : 2017.02.28


In the Internet of Things (IoT), resource-limited smart devices communicate with each other while performing sensing and computation tasks. Thus, these devices can be exposed to various attacks being launched and spread through network. For instance, attacker can reuse the codes of IoT devices for malicious activity executions. In the sense that attacker can craft malicious codes by skillfully reusing codes stored in IoT devices, code-reuse attacks are generally considered to be dangerous. Although a variety of schemes have been proposed to defend against code-reuse attacks, code randomization is regarded as a representative defense technique against code-reuse attacks. Indeed, many research have been done on code randomization technique, however, there are little work on analysis of the interactions between code randomization defenses and code-reuse attacks although it is imperative problem to be explored. To provide the better understanding of these interactions in IoT, we analyze how code randomization defends against code-reuse attacks in IoT and perform simulation on it. Both analysis and simulation results show that the more frequently code randomizations occur, the less frequently code-reuse attacks succeed.


Supported by : National Research Foundation of Korea (NRF)


  1. T. Bletsch, X. Jiang, and V. Fresh. Mitigating Code-Reuse Attacks with Control-Flow Locking. In ACSAC, 2011.
  2. S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, M. Franz. Readactor: Practical Code Randomization Resilient to Memory Disclosure. In IEEE S&P, 2015.
  3. L. Davi, C. Liebchen, A-R. Sadeghi, K. Z. Snow, and F. Monrose. Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming. In NDSS, 2015.
  4. J. Habibi, A. Panicker, A. Gupta, and E. Bertino. DisARM: Mitigating Buffer Overflow Attacks on Embedded Devices. In CERIAS Tech Report, 2015-15, 2015.
  5. R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Return-oriented programming: Systems, languages, and applications. In ACM Transactions on Information and System Security, 15, 1 (Mar. 2012), 2:1-2:34.