Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks

As control-flow hijacking defenses gain adoption, it is important to understand the remaining capabilities of adversaries via memory exploits. Non-control data exploits are used to mount information leakage attacks or privilege escalation attacks program memory. Compared to control-flow hijacking attacks, such non-control data exploits have limited expressiveness, however, the question is: what is the real expressive power of non-control data attacks? In this paper we show that such attacks are Turing-complete. We present a systematic technique called data-oriented programming (DOP) to construct expressive non-control data exploits for arbitrary x86 programs. In the experimental evaluation using 9 programs, we identified 7518 data-oriented x86 gadgets and 5052 gadget dispatchers, which are the building blocks for DOP. 8 out of 9 real-world programs have gadgets to simulate arbitrary computations and 2 of them are confirmed to be able to build Turing-complete attacks. We build 3 end-to-end attacks to bypass randomization defenses without leaking addresses, to run a network bot which takes commands from the attacker, and to alter the memory permissions. All the attacks work in the presence of ASLR and DEP, demonstrating how the expressiveness offered by DOP significantly empowers the attacker.

[1]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[2]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[3]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[4]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[5]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[6]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[7]  S. Bhatkar,et al.  Data Space Randomization , 2008, DIMVA.

[8]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[9]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[10]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[11]  Periklis Akritidis,et al.  Cling: A Memory Allocator to Mitigate Dangling Pointers , 2010, USENIX Security Symposium.

[12]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[13]  Sergey Bratus,et al.  Exploiting the Hard-Working DWARF: Trojan and Exploit Techniques with No Native Executable Code , 2011, WOOT.

[14]  Per Larsen,et al.  Microgadgets: Size Does Matter in Turing-Complete Return-Oriented Programming , 2012, WOOT.

[15]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[16]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[17]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[18]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[19]  Sergey Bratus,et al.  The Page-Fault Weird Machine: Lessons in Instruction-less Computation , 2013, WOOT.

[20]  Sergey Bratus,et al.  "Weird Machines" in ELF: A Spotlight on the Underappreciated Metadata , 2013, WOOT.

[21]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[22]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[23]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[24]  Dan Boneh,et al.  Hacking Blind , 2014, 2014 IEEE Symposium on Security and Privacy.

[25]  Vikram S. Adve,et al.  KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels , 2014, 2014 IEEE Symposium on Security and Privacy.

[26]  Herbert Bos,et al.  Framing Signals - A Return to Portable Shellcode , 2014, 2014 IEEE Symposium on Security and Privacy.

[27]  Peng Liu,et al.  A Practical Approach for Adaptive Data Structure Layout Randomization , 2015, ESORICS.

[28]  Dan Boneh,et al.  CCFI: Cryptographically Enforced Control Flow Integrity , 2015, CCS.

[29]  Zhenkai Liang,et al.  Automatic Generation of Data-Oriented Exploits , 2015, USENIX Security Symposium.

[30]  Stephen Checkoway,et al.  Run-DMA , 2015, WOOT.

[31]  Per Larsen,et al.  Readactor: Practical Code Randomization Resilient to Memory Disclosure , 2015, 2015 IEEE Symposium on Security and Privacy.

[32]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[33]  Ben Niu,et al.  Per-Input Control-Flow Integrity , 2015, CCS.

[34]  Ahmad-Reza Sadeghi,et al.  Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications , 2015, 2015 IEEE Symposium on Security and Privacy.

[35]  William W. Streilein,et al.  Timely Rerandomization for Mitigating Memory Disclosures , 2015, CCS.

[36]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[37]  Herbert Bos,et al.  Practical Context-Sensitive CFI , 2015, CCS.

[38]  William R. Harris,et al.  Enforcing Kernel Security Invariants with Data Flow Integrity. , 2016, NDSS 2016.

[39]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..