Embedded devices are ubiquitous. However, previous research puts little effort on understanding the adoption of common attack mitigations in embedded devices, creating a knowledge gap on embedded security. To bridge this gap, we present an in-depth study by evaluating the adoption of common attack mitigations on embedded devices. In this paper, we summarize our effort on building a high-quality dataset, accurately evaluating kernel-level and user-space attack mitigations and inferring the factors contributing to the absence of attack mitigations. The dataset contains the firmware images from 38 real world vendors range over a decade, reflecting the up- to-date ecology of embedded security. The lack of enough adoption of attack mitigations exposes threat in the coming IoT era as the situation is not improving over time. We envision that understanding the potential factors leading to the lack of adoption of attack mitigations will shed light on improving the security of embedded devices in the future.
Ruotong Yu earned his bachelor’s degree in Electrical Engineering from the University of Washington in 2017 and finished his master’s degree from George Washington University in 2019. He then joined Professor Jun Xu’s group as a Ph.D. student in Fall 2019. Currently, he is a third-year Ph.D. student at the University of Utah. His research area focuses on binary analysis, IoT security and etc.
Yuchen Zhang obtained his BA in Computer Science at Boston University and took master courses at Brandeis University. He is currently in his third year of his Ph.D. in Computer Science at Stevens Institute of Technology. His research interests center around Software, System Security, and malware.
Shan Huang recently worked as a penetrating tester in a leading group of the TIC industry for three years. He is now a first-year Ph.D. student at the Stevens Institute of Technology under the supervision of professor Georgios Portokalidis and professor Jun Xu. Previously he obtained his bachelor's in CS and computer security at Henan University and The University of Manchester. His current research interest focuses on system security and embedded system security.