Lead Institution: University of Washington

Project Leader: Tadayoshi Kohno

Research Progress

• Abstract
  Medical devices are now pervasively computerized. Embedded computers are now an integral part of evaluating, diagnosing, and treating patients. For example, software running on implantable cardioverter defibrillators (ICDs) evaluates the heart’s electrical signals and issues shocks to correct arrhythmias. This project focuses on building a platform to assist in the security and privacy analysis of medical devices. Such a system can be used by device manufacturers to proactively assess their device’s security and privacy.

• Focus of the research/Market need for this project
  Like many other embedded systems, medical devices are often vulnerable to attack, and tools (such as fuzzers) that help developers identify and mitigate potential vulnerabilities in desktop applications do not translate well to embedded systems. To our knowledge, there are no existing, widespread commercial products designed to assist in the automated analysis of medical device security.

• Project Aims/Goals
  The goal of this project is to produce a system that semi-automatically evaluates medical devices for potential vulnerabilities by intelligently exploring state spaces and code paths of these devices.

• Key Conclusions/Significant Findings/Milestones reached/Deliverables
  To accomplish our goals, we set out to emulate a device under test (DUT), running its code symbolically, and using a constraint solver to identify new inputs to explore new, potentially vulnerable code paths. This technique is widely used to check desktop and server software for vulnerabilities. However, there are a number of challenges to overcome in order to apply this technique to embedded systems. Embedded systems, and especially medical devices, treat the environment as their I/O. Therefore, it is difficult to emulate these systems without correctly emulating the environment they work in. While others have proposed emulating the environment as completely unconstrained (being able to produce any input at any time), this quickly leads to a state space explosion which prevents this technique from working on moderately-complex systems. Instead, we constrain emulation by redirecting most of the I/O to the real DUT. The emulated system runs as if it were running natively, but we are now able to keep track of symbolic constraints, instrument execution arbitrarily, and substitute specific inputs to explore new code paths.

  The main challenge to this approach is redirecting the I/O in near real-time. This can be essential for proper emulation. For example, when we applied an early prototype of our system to an insulin pump, the other hardware in the system detected a timing anomaly and forced it to shut down. In other cases, slow I/O can make emulation far too slow to be feasible. Using commercial off-the-shelf hardware, we were unable to redirect I/O fast enough, with the main bottlenecks being the OS of the host and the latency inherent in USB. Thus, we set out to build dedicated hardware that would sit directly on the host’s PCI Express bus and almost transparently map part of the DUT’s memory space into the host’s.

  Developing this hardware was a lot more challenging than anticipated, but we have finally resolved the last few remaining issues with the hardware. We are now finishing a rewrite of the hardware driver to allow the hardware to be directly memory-mapped into the emulator’s process, bypassing OS overhead on every I/O operation. We expect to submit a publication on this system in May, demonstrating the performance and new capabilities it provides by applying it to several devices, including the insulin pump.

• Materials Available for Other Investigators/interested parties
  Details of the hardware design will be made available soon.

• Market entry strategies
  Our platform is designed to help device manufacturers evaluate the security and privacy properties of their medical devices. We plan to share our results and methodologies with device manufacturers.

Bibliography
Security Risks, Low-tech User Interfaces, and Implantable Medical Devices: A Case Study with Insulin Pump Infusion Systems
Nathanael Paul and Tadayoshi Kohno
3rd USENIX Workshop on Health Security and Privacy (HealthSec ’12), August 6-7, 2012

A Review of the Security of Insulin Pump Infusion Systems
Nathanael Paul, Tadayoshi Kohno, and David C. Klonoff
Journal of Diabetes Science and Technology, 2011