CEFI: Command Execution Flow Integrity for Embedded Devices.

As embedded devices are widely used in increasingly complex settings (e.g., smart homes and industrial control systems), one device is usually connected with multiple entities, such as mobile apps and the cloud. Recent research has shown that privilege separation vulnerabilities, which allow violations of authority between different entities, are occuring in IoT systems. Because such vulnerabilities can be exploited without violating static control flow and data flow, existing CFI and DFI solutions cannot prevent them. We present CEFI , the first method to enforce integrity of command execution on embedded devices after deployment. CEFI provides fine-grained Command Execution Flow Integrity by preventing external commands from being executed on control flow paths belonging to interaction channels that are not authorized to perform them. Using minimal manual annotations as a starting point, CEFI statically determined the legal path set (from the start to the end point) and instruments the program to verify the legitimacy of the command execution at runtime by checking whether the calling context is consistent between the runtime executed path and statically obtained legal path set. We evaluate our prototype with five real-world firmware samples, and show that CEFI has an average performance overhead of just 0.18%, an average memory overhead of 0.19%, and that CEFI can effectively protect embedded devices against attacks on privilege separation vulnerabilities even if they do not violate control flow.