A master programme thesis from Aalborg University
A Dual-Model Detection Framework Based on Address Validation and Boolean Control Flow: Runtime Software Attacks
Term
4. semester
Education
Publication year
2025
Submitted on
2025-06-03
Pages
118 pages
Abstract
Runtime software attacks pose a significant threat to embedded and IoT systems, particularly in safety-critical domains such as medical devices. Unlike traditional malware, these attacks hijack control flow without injecting new code, using techniques such as Return-Oriented Programming (ROP). This thesis explores both offensive and defensive aspects of runtime attacks through a vulnerable insulin pump controller as a real-world proof-of-concept. We first construct a functional ROP exploit on a standalone binary to demonstrate how attackers can bypass authentication and trigger unauthorized system calls using chained instruction-level gadgets. Building on this, we propose two lightweight runtime detection techniques for resource-constrained environments. The first method, Address-based ROP Detection (ARD), validates return addresses at runtime against a static whitelist of legitimate control-flow targets. The second method introduces a Boolean State Validator (BSVD) model that encodes program logic into Boolean state transitions, enabling semantic anomaly detection. Both techniques are implemented and evaluated using dynamic binary instrumentation (Intel PIN) and static analysis (Ghidra, angr). Results show reliable control-flow hijack detection with minimal overhead, without requiring source code or hardware changes.
Runtime software attacks pose a significant threat to embedded and IoT systems, particularly in safety-critical domains such as medical devices. Unlike traditional malware, these attacks hijack control flow without injecting new code, using techniques such as Return-Oriented Programming (ROP). This thesis explores both offensive and defensive aspects of runtime attacks through a vulnerable insulin pump controller as a real-world proof-of-concept. We first construct a functional ROP exploit on a standalone binary to demonstrate how attackers can bypass authentication and trigger unauthorized system calls using chained instruction-level gadgets. Building on this, we propose two lightweight runtime detection techniques for resource-constrained environments. The first method, Address-based ROP Detection (ARD), validates return addresses at runtime against a static whitelist of legitimate control-flow targets. The second method introduces a Boolean State Validator (BSVD) model that encodes program logic into Boolean state transitions, enabling semantic anomaly detection. Both techniques are implemented and evaluated using dynamic binary instrumentation (Intel PIN) and static analysis (Ghidra, angr). Results show reliable control-flow hijack detection with minimal overhead, without requiring source code or hardware changes.
Documents
Colophon: This page is part of the AAU Student Projects portal, which is run by Aalborg University. Here, you can find and download publicly available bachelor's theses and master's projects from across the university dating from 2008 onwards. Student projects from before 2008 are available in printed form at Aalborg University Library.
If you have any questions about AAU Student Projects or the research registration, dissemination and analysis at Aalborg University, please feel free to contact the VBN team. You can also find more information in the AAU Student Projects FAQs.