SpySense Spyware Tool
BlackHat USA 2011
 |
..Spy-Sense is a spyware tool that allows the injection of stealthy exploits in the heart of each node in a sensor network. Spy-Sense is undetectable, hard to recognize and get rid of, and once |
activated, it runs discretely in the background without interfering or disrupting normal network operation. It provides the ability of executing a stealthy exploit sequence that can be used to achieve the intruder's goals while reliably evading detection. To the best of our knowledge, this is the first instance of a spyware program that is able to crack the confidentiality and functionality of a sensor network.
What is SpySense
As the name suggests, Spy-Sense is malicious software that "spies" on sensor node activities and relays collected infor-mation back to the adversary. It can install remotely, secretly, and without consent, a number of stealthy exploitsfor threatening the network's security profile. Example of exploits include data manipulation, cracking and network damage.
| Exploit | Description | Size (bytes) |
| Data Theft | Report back important or confidential info. | 114 |
| Data Alteration | Alter the value of existing data structures and variables. | 56 |
| Energy Exhaustion | Initiate communication until nodes drains all its energy. | 102 |
| Radion Comm. Break Down | Shut down radio transceiver or make the node believe that the transmission failed. | 8 |
| Resource Usage | Consume CPU cycles by putting the node in a sustain loop for a user-determined period of time. | 22 |
| ID Change | Dynamically change the ID of a node, thus affecting the routing process. | 10 |
Spy-Sense exploits will reside in a continuous memory region in the host sensor platform. They can operate in stealth mode as they are programmed to change and restore the flow of the system's control in such a way so that they don't let the underlying micro-controller go into an unstable state. These exploits make use of the existence of an empty memory region reserved to be used as the heap for dynamic memory allocation. Since commercial sensor platforms do not support dynamic allocation of memory during runtime, this address region between the heap and the stack will remain empty,unused and unchecked during program execution. This works as an umbrella of all the exploits masquerading their existence and reliably evading detection.Furthermore, it results in a permanent exploit injection; the microcontroller's main logic does not perform any actions on the heap region, and thus, the only way of erasing heapcontents is by physically capturing a node and forcing it to "hard" reset itself.
SpySense Architecture Layout
Spy-Sense is based on an intelligent component-based system. The hosted components are capable of loading pre-defined exploit profiles, injecting them to the targeted network through a transparent transmission of a series of specially crafted messages, receiving and logging of all node replies that report back requested system information. Its core functionality is based on three main conceptual modules:
- Exploit Loader Component: The exploit loader is responsible for initializing the software by importing all predefined exploit profiles that reside in the Spy-Sense root folder. Such profiles contain the (i) machine code instructions that will be injected into the host sensor node, and (ii) their symbolic representation written in assembly language.
- SetUp Engine:This powerful component is able of deploying imported exploits to a selected portion of network nodes. Conceptually, the setup engine communicates internally with an exploit payload constructor module for creating the appropriate message stream needed to hold all machine code instructions. Fundamental to this operation is the definition of an addresspointer (ADDRcopyTo) which points to an appropriate memory address (inside the heap region) where the code will be stored.
- Exploit Activation Component: Once the transmission is completed, the exploit activation component handles the last messages that need to be sent for activating a selected exploit to one or more of the host sensor nodes. The activation process requires the transmission of a series of specially crafted packets for redirecting the program flow to the beginning of the exploit shellcode, in the heap target region.
