Exploitation Techniques and Defenses for Data-Oriented Attacks

Data-oriented attacks manipulate non-control data to alter a program's benign behavior without violating its control-flow integrity. It has been shown that such attacks can cause significant damage even in the presence of control-flow defense mechanisms. However, these threats have not been adequately addressed. In this systematization of knowledge (SoK) paper, we first map data-oriented exploits, including Data-Oriented Programming (DOP) and Block-Oriented Programming attacks, to their assumptions/requirements and attack capabilities. We also compare known defenses against these attacks, in terms of approach, detection capabilities, overhead, and compatibility. Then we discuss the possible frequency anomalies of data-oriented attacks, especially the frequency anomalies of DOP attacks with experimental proofs. It is generally believed that control flows may not be useful for data-oriented security. How-ever, the frequency anomalies show that data-oriented attacks (especially DOP attacks) may generate side-effects on control-flow behavior in multiple dimensions. In the end, we discuss challenges for building deployable data-oriented defenses and open research questions.

[1]  Wenke Lee,et al.  How to Make ASLR Win the Clone Wars: Runtime Re-Randomization , 2016, NDSS.

[2]  J WeyukerElaine,et al.  Selecting Software Test Data Using Data Flow Information , 1985 .

[3]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[4]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[5]  William R. Harris,et al.  Enforcing Kernel Security Invariants with Data Flow Integrity. , 2016, NDSS 2016.

[6]  Jeff Seibert,et al.  Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code , 2014, CCS.

[7]  Xi Wang,et al.  Software fault isolation with API integrity and multi-principal modules , 2011, SOSP.

[8]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[9]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[10]  Herbert Bos,et al.  Poking Holes in Information Hiding , 2016, USENIX Security Symposium.

[11]  Angelos D. Keromytis,et al.  Transparent ROP Exploit Mitigation Using Indirect Branch Tracing , 2013, USENIX Security Symposium.

[12]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[13]  Dan Boneh,et al.  CCFI: Cryptographically Enforced Control Flow Integrity , 2015, CCS.

[14]  Per Larsen,et al.  Security through Diversity: Are We There Yet? , 2014, IEEE Security & Privacy.

[15]  Michael Shuey,et al.  StackGhost: Hardware Facilitated Stack Protection , 2001, USENIX Security Symposium.

[16]  Per Larsen,et al.  Address Oblivious Code Reuse: On the Effectiveness of Leakage Resilient Diversity , 2017, NDSS.

[17]  Ahmad-Reza Sadeghi,et al.  HAFIX: Hardware-Assisted Flow Integrity eXtension , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[18]  Ahmad-Reza Sadeghi,et al.  HardScope: Thwarting DOP with Hardware-assisted Run-time Scope Enforcement , 2017, ArXiv.

[19]  David Brumley,et al.  Q: Exploit Hardening Made Easy , 2011, USENIX Security Symposium.

[20]  Naren Ramakrishnan,et al.  Unearthing Stealthy Program Attacks Buried in Extremely Long Execution Paths , 2015, CCS.

[21]  Per Larsen,et al.  Readactor: Practical Code Randomization Resilient to Memory Disclosure , 2015, 2015 IEEE Symposium on Security and Privacy.

[22]  Zhenkai Liang,et al.  Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[23]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[24]  Ahmad-Reza Sadeghi,et al.  Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[25]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[26]  Sotiris Ioannidis,et al.  HCFI: Hardware-enforced Control-Flow Integrity , 2016, CODASPY.

[27]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[28]  Yue Chen,et al.  Remix: On-demand Live Randomization , 2016, CODASPY.

[29]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[30]  Martín Abadi,et al.  Architectural support for software-based protection , 2006, ASID '06.

[31]  Xi Chen,et al.  The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later , 2017, CCS.

[32]  M. Castro,et al.  Data Randomization , 2008 .

[33]  David Walker,et al.  Modular Protections against Non-control Data Attacks , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[34]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[35]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[36]  Michael Backes,et al.  Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing , 2014, USENIX Security Symposium.

[37]  Trent Jaeger,et al.  Block Oriented Programming: Automating Data-Only Attacks , 2018, CCS.

[38]  Per Larsen,et al.  Hardware Assisted Randomization of Data , 2018, RAID.

[39]  Chen Liu,et al.  Can Data-Only Exploits be Detected at Runtime Using Hardware Events?: A Case Study of the Heartbleed Vulnerability , 2016, HASP 2016.

[40]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[41]  Per Larsen,et al.  Profile-guided automated software diversity , 2013, Proceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[42]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[43]  Andrew W. Moore,et al.  X-means: Extending K-means with Efficient Estimation of the Number of Clusters , 2000, ICML.

[44]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[45]  Per Larsen,et al.  Strategy without tactics: Policy-agnostic hardware-enhanced control-flow integrity , 2016, 2016 53nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[46]  Roland H. C. Yap,et al.  Stack Bounds Protection with Low Fat Pointers , 2017, NDSS.

[47]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[48]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[49]  Zhenkai Liang,et al.  "The Web/Local" Boundary Is Fuzzy: A Security Study of Chrome's Process-based Sandboxing , 2016, CCS.

[50]  Per Larsen,et al.  SoK: Sanitizing for Security , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[51]  Long Lu,et al.  Compiler-Assisted Code Randomization , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[52]  Frank Piessens,et al.  Breaking the memory secrecy assumption , 2009, EUROSEC '09.

[53]  Dan Boneh,et al.  Cryptographically Enforced Control Flow Integrity , 2014, ArXiv.

[54]  Yunheung Paek,et al.  HDFI: Hardware-Assisted Data-Flow Isolation , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[55]  Junfeng Yang,et al.  Shuffler: Fast and Deployable Continuous Code Re-Randomization , 2016, OSDI.

[56]  Peng Ning,et al.  Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[57]  Quan Chen,et al.  PrivWatcher: Non-bypassable Monitoring and Protection of Process Credentials from Memory Corruption Attacks , 2017, AsiaCCS.

[58]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[59]  Per Larsen,et al.  SoK: Automated Software Diversity , 2014, 2014 IEEE Symposium on Security and Privacy.

[60]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[61]  Dan Boneh,et al.  Hacking Blind , 2014, 2014 IEEE Symposium on Security and Privacy.

[62]  Michalis Polychronakis,et al.  Revisiting Browser Security in the Modern Era: New Data-Only Attacks and Defenses , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[63]  Miguel Castro,et al.  Fast byte-granularity software fault isolation , 2009, SOSP '09.

[64]  Michalis Polychronakis,et al.  No-Execute-After-Read: Preventing Code Disclosure in Commodity Software , 2016, AsiaCCS.

[65]  Jack W. Davidson,et al.  ILR: Where'd My Gadgets Go? , 2012, 2012 IEEE Symposium on Security and Privacy.

[66]  Christof Fetzer,et al.  SGXBOUNDS: Memory Safety for Shielded Execution , 2017, EuroSys.

[67]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[68]  Chen Liu,et al.  Detecting Data Exploits Using Low-level Hardware Information: A Short Time Series Approach , 2018 .

[69]  Yutao Liu,et al.  CFIMon: Detecting violation of control flow integrity using performance counters , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[70]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[71]  Ahmad-Reza Sadeghi,et al.  PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables , 2017, NDSS.

[72]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[73]  Cristiano Giuffrida,et al.  Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization , 2012, USENIX Security Symposium.

[74]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[75]  William W. Streilein,et al.  Timely Rerandomization for Mitigating Memory Disclosures , 2015, CCS.

[76]  David Litchfield Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server , 2003 .

[77]  Yongqiang Lyu,et al.  Control Flow Integrity Based on Lightweight Encryption Architecture , 2018, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[78]  Hai Huang,et al.  Kernel Data Attack Is a Realistic Security Threat , 2015, SecureComm.

[79]  Yutao Liu,et al.  Transparent and Efficient CFI Enforcement with Intel Processor Trace , 2017, 2017 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[80]  Mehmet Kayaalp,et al.  Branch regulation: Low-overhead protection from code reuse attacks , 2012, 2012 39th Annual International Symposium on Computer Architecture (ISCA).

[81]  David A. Wagner,et al.  ROP is Still Dangerous: Breaking Modern Defenses , 2014, USENIX Security Symposium.

[82]  S. Bhatkar,et al.  Data Space Randomization , 2008, DIMVA.

[83]  Manos Antonakakis,et al.  Security Risks in Asynchronous Web Servers: When Performance Optimizations Amplify the Impact of Data-Oriented Attacks , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[84]  Roland H. C. Yap,et al.  Heap bounds protection with low fat pointers , 2016, CC.

[85]  Thomas R. Gross,et al.  CAIN: Silently Breaking ASLR in the Cloud , 2015, WOOT.

[86]  William R. Harris,et al.  Efficient Protection of Path-Sensitive Control Security , 2017, USENIX Security Symposium.

[87]  Salvatore J. Stolfo,et al.  Heisenbyte: Thwarting Memory Disclosure Attacks using Destructive Code Reads , 2015, CCS.

[88]  Claude Castelluccia,et al.  Code injection attacks on harvard-architecture devices , 2008, CCS.

[89]  Tao Zhang,et al.  Using Branch Correlation to Identify Infeasible Paths for Anomaly Detection , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[90]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[91]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[92]  Kevin W. Hamlen,et al.  Binary stirring: self-randomizing instruction addresses of legacy x86 binary code , 2012, CCS.

[93]  Somesh Jha,et al.  OEI: Operation Execution Integrity for Embedded Devices , 2018, ArXiv.

[94]  J. Gregory Morrisett,et al.  Combining control-flow integrity and static analysis for efficient and validated data sandboxing , 2011, CCS '11.

[95]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[96]  Zhiqiang Lin,et al.  PT-CFI: Transparent Backward-Edge Control Flow Violation Detection Using Intel Processor Trace , 2017, CODASPY.

[97]  Trent Jaeger,et al.  GRIFFIN: Guarding Control Flows Using Intel Processor Trace , 2017, ASPLOS.

[98]  Susan Horwitz,et al.  Protecting C programs from attacks via invalid pointer dereferences , 2003, ESEC/FSE-11.

[99]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[100]  Per Larsen,et al.  Selfrando: Securing the Tor Browser against De-anonymization Exploits , 2016, Proc. Priv. Enhancing Technol..

[101]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[102]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[103]  Wenke Lee,et al.  ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks , 2015, CCS.

[104]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[105]  Arati Baliga,et al.  Lurking in the Shadows: Identifying Systemic Threats to Kernel Data , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[106]  Christian W. Otterstad A brief evaluation of Intel®MPX , 2015, 2015 Annual IEEE Systems Conference (SysCon) Proceedings.

[107]  Michael Backes,et al.  You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code , 2014, CCS.

[108]  Simha Sethumadhavan,et al.  Practical Memory Safety with REST , 2018, 2018 ACM/IEEE 45th Annual International Symposium on Computer Architecture (ISCA).

[109]  Zhenkai Liang,et al.  Automatic Generation of Data-Oriented Exploits , 2015, USENIX Security Symposium.

[110]  Peng Ning,et al.  HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities , 2015, CODASPY.

[111]  William R. Harris,et al.  Enforcing Unique Code Target Property for Control-Flow Integrity , 2018, CCS.