Harvard architecture CPU design is common in the embedded world. Examples ofHarvard-based architecture devices are the Mica family of wireless sensors.Mica motes have limited memory and can process only very small packets.Stack-based buffer overflow techniques that inject code into the stack and thenexecute it are therefore not applicable. It has been a common belief that codeinjection is impossible on Harvard architectures. This paper presents a remotecode injection attack for Mica sensors. We show how to exploit programvulnerabilities to permanently inject any piece of code into the program memoryof an Atmel AVR-based sensor. To our knowledge, this is the first result thatpresents a code injection technique for such devices. Previous work onlysucceeded in injecting data or performing transient attacks. Injectingpermanent code is more powerful since the attacker can gain full control of thetarget sensor. We also show that this attack can be used to inject a worm thatcan propagate through the wireless sensor network and possibly create a sensorbotnet. Our attack combines different techniques such as return orientedprogramming and fake stack injection. We present implementation details andsuggest some counter-measures.
展开▼