Shakedown: compiler-based moving target protection for Return Oriented Programing attacks on an industrial IoT device

Cybercriminals use Return Oriented Programming techniques to attack systems and IoT devices. While defenses have been developed, not all of them are applicable to constrained devices. We present Shakedown, which is a compile-time randomizing build tool which creates several versions of the binary, each with a distinct memory layout. An attack developed against one device will not work on another device which has a different memory layout. We tested Shakedown on an industrial IoT device and shown that its normal functionality remained intact while an exploit was blocked.

💡 Research Summary

The paper introduces Shakedown, a compiler‑based moving‑target defense designed for constrained industrial Internet‑of‑Things (IIoT) devices that are vulnerable to Return Oriented Programming (ROP) attacks. Traditional mitigations such as ASLR and DEP are often too heavyweight for low‑power, low‑resource gateways, so the authors propose a lightweight alternative that operates entirely at build time. Shakedown takes the source code and a random seed, then produces a binary whose internal layout (function order, function alignment, and object‑file linking order) is randomized. Three concrete techniques are implemented: (1) Function‑order randomization via an LLVM pass that permutes the module’s function list before machine code generation; (2) Function‑address alignment randomization that expands each function’s alignment requirement (e.g., from 16 bytes to 32 or 64 bytes), inserting variable padding between functions; (3) Object‑linking order randomization performed by a wrapper around the system linker that shuffles the order of object files before linking. Because each randomization step is driven by a seed supplied through an environment variable, developers can generate N distinct binaries simply by invoking the toolchain with N different seeds.

The authors evaluated Shakedown on a custom Kerlink gateway equipped with an ARM926E‑JS CPU, which runs Worldsensing’s Loadsensing edge‑computing platform. They deliberately introduced a buffer‑overflow vulnerability and a “secret” function that an attacker would aim to invoke via a crafted ROP chain. With the unmodified binary, sending a malicious packet overwrote the return address, causing the secret function to execute and the attack to succeed. When the same source code was compiled with Shakedown (using two different seeds), the gateway behaved normally for legitimate traffic, but the malicious packet caused a crash and restart without invoking the secret function. The failure occurs because the attacker’s payload was built against the memory layout of the first binary; the second binary’s randomized layout makes all gadget addresses invalid.

Performance impact is minimal: the randomizations happen only during compilation and linking, and no additional runtime checks or instrumentation are required. Consequently, the approach is suitable for devices with limited CPU cycles and power budgets. The paper also discusses operational challenges, notably the need for per‑device binary management, OTA update handling, and integration with existing bug‑tracking and security‑event systems.

Related work is surveyed, distinguishing binary‑level moving‑target techniques (e.g., Address Space Layout Permutation, Instruction Location Randomization) that require disassembly and are error‑prone, from compiler‑level diversity approaches that operate on source or object code. Shakedown aligns with the latter, offering a practical path to software diversity for IIoT.

In conclusion, Shakedown demonstrates that compile‑time randomization of code layout can effectively neutralize ROP attacks on industrial IoT gateways without incurring noticeable runtime overhead. Future work includes extending the set of randomization strategies (e.g., instruction‑level shuffling, automatic insertion of illegal‑memory traps) and developing tooling to automate the deployment and lifecycle management of per‑device diversified binaries.