skip to main content
research-article
Open Access

Exploitation Techniques for Data-oriented Attacks with Existing and Potential Defense Approaches

Authors Info & Claims
Published:02 September 2021Publication History
Skip Abstract Section

Abstract

Data-oriented attacks manipulate non-control data to alter a program’s benign behavior without violating its control-flow integrity. It has been shown that such attacks can cause significant damage even in the presence of control-flow defense mechanisms. However, these threats have not been adequately addressed. In this survey article, we first map data-oriented exploits, including Data-Oriented Programming (DOP) and Block-Oriented Programming (BOP) attacks, to their assumptions/requirements and attack capabilities. Then, we compare known defenses against these attacks, in terms of approach, detection capabilities, overhead, and compatibility. It is generally believed that control flows may not be useful for data-oriented security. However, data-oriented attacks (especially DOP attacks) may generate side effects on control-flow behaviors in multiple dimensions (i.e., incompatible branch behaviors and frequency anomalies). We also characterize control-flow anomalies caused by data-oriented attacks. In the end, we discuss challenges for building deployable data-oriented defenses and open research questions.

References

  1. Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2009. Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13, 1 (2009), 1–40. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Tigist Abera, N. Asokan, Lucas Davi, Jan-Erik Ekberg, Thomas Nyman, Andrew Paverd, Ahmad-Reza Sadeghi, and Gene Tsudik. 2016. C-FLAT: Control-flow attestation for embedded systems software. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’16). 743–754. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Salman Ahmed, Ya Xiao, Kevin Z Snow, Gang Tan, Fabian Monrose, and Danfeng Yao. 2020. Methodologies for quantifying (Re-) randomization security and timing under JIT-ROP. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 1803–1820. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Periklis Akritidis, Cristian Cadar, Costin Raiciu, Manuel Costa, and Miguel Castro. 2008. Preventing memory error exploits with WIT. In Proceedings of the IEEE Symposium on Security and Privacy (sp’08). IEEE, 263–277. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Starr Andersen and Vincent Abella. 2004. Data Execution Prevention. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies.Google ScholarGoogle Scholar
  6. Michael Backes, Thorsten Holz, Benjamin Kollenda, Philipp Koppe, Stefan Nürnberger, and Jannik Pewny. 2014. You can run but you can’t read: Preventing disclosure exploits in executable code. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 1342–1353. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Arati Baliga, Pandurang Kamat, and Liviu Iftode. 2007. Lurking in the shadows: Identifying systemic threats to kernel data. In Proceedings of the IEEE Symposium on Security and Privacy (SP’07). IEEE, 246–251. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Brian Belleville, Hyungon Moon, Jangseop Shin, Dongil Hwang, Joseph M. Nash, Seonhwa Jung, Yeoul Na, Stijn Volckaert, Per Larsen, Yunheung Paek, et al. 2018. Hardware assisted randomization of data. In Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 337–358.Google ScholarGoogle ScholarCross RefCross Ref
  9. Sandeep Bhatkar and R. Sekar. 2008. Data space randomization. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 1–22. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. David Bigelow, Thomas Hobson, Robert Rudd, William Streilein, and Hamed Okhravi. 2015. Timely rerandomization for mitigating memory disclosures. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 268–279. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. The Heartbleed Bug. 2020. Retrieved April 3, 2020 from http://heartbleed.com.Google ScholarGoogle Scholar
  12. Nathan Burow, Scott A. Carr, Joseph Nash, Per Larsen, Michael Franz, Stefan Brunthaler, and Mathias Payer. 2017. Control-flow integrity: Precision, security, and performance. ACM Comput. Surv. 50, 1 (2017), 1–33. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Cristian Cadar, Periklis Akritidis, Manuel Costa, Jean-Phillipe Martin, and Miguel Castro. 2008. Data Randomization. Technical Report TR-2008-120. Microsoft Research, 2008.Google ScholarGoogle Scholar
  14. Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-flow bending: On the effectiveness of control-flow integrity. In Proceedings of the 24th USENIX Security Symposium (USENIX Security’15). 161–176. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Miguel Castro, Manuel Costa, and Tim Harris. 2006. Securing software by enforcing data-flow integrity. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation. 147–160. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. 2012. Unleashing mayhem on binary code. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 380–394. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Quan Chen, Ahmed M. Azab, Guruprasad Ganesh, and Peng Ning. 2017. Privwatcher: Non-bypassable monitoring and protection of process credentials from memory corruption attacks. In Proceedings of the ACM on Asia Conference on Computer and Communications Security. 167–178. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Shuo Chen, Jun Xu, Emre Can Sezer, Prachi Gauriar, and Ravishankar K. Iyer. 2005. Non-control-data attacks are realistic threats. In Proceedings of the USENIX Security Symposium, Vol. 5. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Yue Chen, Zhi Wang, David Whalley, and Long Lu. 2016. Remix: On-demand live randomization. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY’16). ACM, 50–61. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Long Cheng, Ke Tian, and Danfeng Yao. 2017. Enforcing cyber-physical execution semantics to defend against data-oriented attacks. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’17). Association for Computing Machinery, New York, NY, USA, 315–326. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Long Cheng, Ke Tian, Daphne Yao, Lui Sha, and Raheem A. Beyah. 2019. Checking is believing: Event-aware program anomaly detection in cyber-physical systems. IEEE Trans. Depend. Sec. Comput. 18, 2 (2019), 825–842.Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Matthew Cole and Aravind Prakash. 2020. Simplex: Repurposing Intel memory protection extensions for information hiding. arxiv:2009.06490 [cs.CR]. Retrieved from https://arxiv.org/abs/2009.06490.Google ScholarGoogle Scholar
  23. Mauro Conti, Stephen Crane, Tommaso Frassetto, Andrei Homescu, Georg Koppen, Per Larsen, Christopher Liebchen, Mike Perry, and Ahmad-Reza Sadeghi. 2016. Selfrando: Securing the tor browser against de-anonymization exploits. Proc. Priv. Enhanc. Technol. 2016, 4 (2016), 454–469.Google ScholarGoogle ScholarCross RefCross Ref
  24. Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein. 2009. Introduction to Algorithms. MIT Press.Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. 1998. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the USENIX Security Symposium, Vol. 98. 63–78. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Stanley Crispin Cowan, Seth Richard Arnold, Steven Michael Beattie, and Perry Michael Wagle. 2010. PointGuard: Method and System for Protecting Programs Against Pointer Corruption Attacks. US Patent 7,752,459.Google ScholarGoogle Scholar
  27. Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Stefan Brunthaler, and Michael Franz. 2015. Readactor: Practical code randomization resilient to memory disclosure. In Proceedings of the 2015 IEEE Symposium on Security and Privacy. IEEE, 763–780. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Cyclone. 2002. Retrieved August 12, 2019 from http://cyclone.thelanguage.org/.Google ScholarGoogle Scholar
  29. Lucas Davi, David Gens, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2017. PT-Rand: Practical mitigation of data-only attacks against page tables. In Proceedings of the Network and Distributed System Security Symposium (NDSS’17).Google ScholarGoogle ScholarCross RefCross Ref
  30. Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi, Kevin Z Snow, and Fabian Monrose. 2015. Isomeron: Code randomization resilient to (just-in-time) return-oriented programming. In Proceedings of the Network and Distributed System Security Symposium (NDSS’15).Google ScholarGoogle ScholarCross RefCross Ref
  31. Leonardo de Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In Tools and Algorithms for the Construction and Analysis of Systems, C. R. Ramakrishnan and Jakob Rehof (Eds.). Springer, Berlin, 337–340. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Joe Devietti, Colin Blundell, Milo M. K. Martin, and Steve Zdancewic. 2008. Hardbound: architectural support for spatial safety of the C programming language. ACM SIGOPS Operat. Syst. Rev. 42, 2 (2008), 103–114. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Ren Ding, Chenxiong Qian, Chengyu Song, Bill Harris, Taesoo Kim, and Wenke Lee. 2017. Efficient protection of path-sensitive control security. In Proceedings of the USENIX Conference on Security Symposium. 131–148. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Gregory J. Duck and Roland H. C. Yap. 2016. Heap bounds protection with low fat pointers. In Proceedings of the 25th International Conference on Compiler Construction. ACM, 132–142. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Gregory J. Duck, Roland H. C. Yap, and Lorenzo Cavallaro. 2017. Stack bounds protection with low fat pointers.. In Proceedings of the Network and Distributed System Security Symposium (NDSS’17).Google ScholarGoogle Scholar
  36. Úlfar Erlingsson, Martín Abadi, Michael Vrable, Mihai Budiu, and George C. Necula. 2006. XFI: Software guards for system address spaces. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation. 75–88. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Isaac Evans, Sam Fingeret, Julian Gonzalez, Ulziibayar Otgonbaatar, Tiffany Tang, Howard Shrobe, Stelios Sidiroglou-Douskos, Martin Rinard, and Hamed Okhravi. 2015. Missing the point(er): On the effectiveness of code pointer integrity. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 781–796. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 901–913. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. M. Evers, S. J. Patel, R. S. Chappell, and Y. N. Patt. 1998. An analysis of correlation and predictability: What makes two-level branch predictors work. In Proceedings. 25th Annual International Symposium on Computer Architecture. 52–61. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. TIOBE Index for November. 2020. Retrieved November 30, 2020 from https://www.tiobe.com/tiobe-index/.Google ScholarGoogle Scholar
  41. Aurélien Francillon and Claude Castelluccia. 2008. Code injection attacks on harvard-architecture devices. In Proceedings of the 15th ACM conference on Computer and Communications Security. 15–26. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Xinyang Ge, Weidong Cui, and Trent Jaeger. 2017. GRIFFIN: Guarding control flows using intel processor trace. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’17). 585–598. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Masoud Ghaffarinia and Kevin W. Hamlen. 2019. Binary control-flow trimming. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 1009–1022. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Cristiano Giuffrida, Anton Kuijsten, and Andrew S. Tanenbaum. 2012. Enhanced operating system security through efficient and fine-grained address space randomization. In Proceedings of the 21st USENIX Security Symposium (USENIX Security’12). 475–490. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Yufei Gu, Qingchuan Zhao, Yinqian Zhang, and Zhiqiang Lin. 2017. PT-CFI: Transparent backward-edge control flow violation detection using intel processor trace. In Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY’17). 173–184. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Hardware-assisted AddressSanitizer. 2017. Retrieved March 31, 2019 from https://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html.Google ScholarGoogle Scholar
  47. Jason Hiser, Anh Nguyen-Tuong, Michele Co, Matthew Hall, and Jack W. Davidson. 2012. ILR: Where’d my gadgets go? In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 571–585. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Andrei Homescu, Steven Neisius, Per Larsen, Stefan Brunthaler, and Michael Franz. 2013. Profile-guided automated software diversity. In Proceedings of the IEEE/ACM International Symposium on Code Generation and Optimization (CGO’13). IEEE Computer Society, 1–11. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Hong Hu, Zheng Leong Chua, Sendroiu Adrian, Prateek Saxena, and Zhenkai Liang. 2015. Automatic generation of data-oriented exploits. In Proceedings of the 24th USENIX Security Symposium (USENIX Security’15). 177–192. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Hong Hu, Chenxiong Qian, Carter Yagemann, Simon Pak Ho Chung, William R. Harris, Taesoo Kim, and Wenke Lee. 2018. Enforcing unique code target property for control-flow integrity. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’18). 1470–1486. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, and Zhenkai Liang. 2016. Data-oriented programming: On the expressiveness of non-control data attacks. In Proceedings of the IEEE Symposium on Security and Privacy (SP’16). IEEE, 969–986.Google ScholarGoogle ScholarCross RefCross Ref
  52. Intel. 2019. Control-flow Enforcement Technology Preview. Retrieved March 24, 2020 from https://software.intel.com/sites/default/files/ managed/4d/2a/control-flow-enforcement-technology-preview.pdf.Google ScholarGoogle Scholar
  53. Introduction to Intel® Memory Protection Extensions. 2013. Retrieved March 24, 2020 from https://software.intel.com/content/www/us/en/dev elop/articles/introduction-to-intel-memory-protection-extensions.html.Google ScholarGoogle Scholar
  54. Kyriakos K. Ispoglou, Bader AlBassam, Trent Jaeger, and Mathias Payer. 2018. Block oriented programming: Automating data-only attacks. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 1868–1882. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Yaoqi Jia, Zheng Leong Chua, Hong Hu, Shuo Chen, Prateek Saxena, and Zhenkai Liang. 2016. “The Web/Local” boundary is fuzzy: A security study of chrome’s process-based sandboxing. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 791–804. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Chongkyung Kil, Jinsuk Jun, Christopher Bookholt, Jun Xu, and Peng Ning. 2006. Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC’06). IEEE, 339–348. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Hyungjoon Koo, Yaohui Chen, Long Lu, Vasileios P. Kemerlis, and Michalis Polychronakis. 2018. Compiler-assisted code randomization. In Proceedings of the IEEE Symposium on Security and Privacy (SP’18). IEEE, 461–477.Google ScholarGoogle ScholarCross RefCross Ref
  58. Dmitrii Kuvaiskii, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia, Pascal Felber, and Christof Fetzer. 2017. SGXBOUNDS: Memory safety for shielded execution. In Proceedings of the 12th European Conference on Computer Systems. 205–221. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Volodymyr Kuznetsov, László Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. 2014. Code-pointer integrity. In Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI’14). 147–163. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. Volodymyr Kuznetzov, László Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. 2018. Code-pointer integrity. In The Continuing Arms Race: Code-Reuse Attacks and Defenses. 81–116. Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. Albert Kwon, Udit Dhawan, Jonathan M Smith, Thomas F Knight Jr, and Andre DeHon. 2013. Low-fat pointers: Compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. 721–732. Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. Per Larsen, Andrei Homescu, Stefan Brunthaler, and Michael Franz. 2014. SoK: Automated software diversity. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 276–291. Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. LBNL-FTP-PKT. 2004. Anonymous FTP connections dataset at the Lawrence Berkeley National Laboratory. Retrieved March 25, 2020 from https://ee.lbl.gov/anonymized-traces.html.Google ScholarGoogle Scholar
  64. Intel(R) Processor Trace Decoder Library. 2013. Retrieved April 3, 2020 from https://github.com/intel/libipt.Google ScholarGoogle Scholar
  65. Hans Liljestrand, Thomas Nyman, Kui Wang, Carlos Chinea Perez, Jan-Erik Ekberg, and N. Asokan. 2019. PAC it up: Towards pointer integrity using arm pointer authentication. In Proceedings of the 28th USENIX Security Symposium (USENIX Security’19). 177–194. Google ScholarGoogle ScholarDigital LibraryDigital Library
  66. Chen Liu, Zhiliu Yang, Zander Blasingame, Gildo Torres, and James Bruska. 2018. Detecting data exploits using low-level hardware information: A short time series approach. In Proceedings of the 1st Workshop on Radical and Experiential Security. ACM, 41–47. Google ScholarGoogle ScholarDigital LibraryDigital Library
  67. Y. Liu, P. Shi, X. Wang, H. Chen, B. Zang, and H. Guan. 2017. Transparent and efficient CFI enforcement with intel processor trace. In Proceedings of the IEEE International Symposium on High Performance Computer Architecture (HPCA’17). 529–540.Google ScholarGoogle Scholar
  68. LLVM. 2003. The LLVM Compiler Infrastructure. Retrieved April 25, 2020 http://llvm.org/.Google ScholarGoogle Scholar
  69. Kangjie Lu, Chengyu Song, Byoungyoung Lee, Simon P. Chung, Taesoo Kim, and Wenke Lee. 2015. ASLR-Guard: Stopping address space leakage for code reuse attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 280–291. Google ScholarGoogle ScholarDigital LibraryDigital Library
  70. Yuan Luo, Ya Xiao, Long Cheng, Guojun Peng, and Danfeng Daphne Yao. 2020. Deep learning-based anomaly detection in cyber-physical systems: Progress and opportunities. ACM Comput. Surv. 54, 5, Article 106 (June 2021), 36 pages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  71. Yandong Mao, Haogang Chen, Dong Zhou, Xi Wang, Nickolai Zeldovich, and M Frans Kaashoek. 2011. Software fault isolation with API integrity and multi-principal modules. In Proceedings of the 23rd ACM Symposium on Operating Systems Principles. 115–128. Google ScholarGoogle ScholarDigital LibraryDigital Library
  72. Sparsh Mittal. 2019. A survey of techniques for dynamic branch prediction. Concurrency and Computation: Practice and Experience 31, 1 (2019), e4666.Google ScholarGoogle ScholarCross RefCross Ref
  73. Micah Morton, Jan Werner, Panagiotis Kintis, Kevin Snow, Manos Antonakakis, Michalis Polychronakis, and Fabian Monrose. 2018. Security risks in asynchronous web servers: When performance optimizations amplify the impact of data-oriented attacks. In Proceedings of the 2018 IEEE European Symposium on Security and Privacy (EuroS&P’18). IEEE, 167–182.Google ScholarGoogle ScholarCross RefCross Ref
  74. Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly compatible and complete spatial memory safety for C. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation. 245–258. Google ScholarGoogle ScholarDigital LibraryDigital Library
  75. George C. Necula, Scott McPeak, and Westley Weimer. 2002. CCured: Type-safe retrofitting of legacy code. In Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 128–139. Google ScholarGoogle ScholarDigital LibraryDigital Library
  76. National Vulnerability Database (NVD). 2006. ProFTPD Remote Exploit. Retrieved March 25, 2020 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815.Google ScholarGoogle Scholar
  77. T. Nyman, G. Dessouky, S. Zeitouni, A. Lehikoinen, A. Paverd, N. Asokan, and A. Sadeghi. 2019. HardScope: Hardening embedded systems against data-oriented attacks. In Proceedings of the 56th ACM/IEEE Design Automation Conference (DAC’19). 1–6. Google ScholarGoogle ScholarDigital LibraryDigital Library
  78. Oleksii Oleksenko, Dmitrii Kuvaiskii, Pramod Bhatotia, Pascal Felber, and Christof Fetzer. 2018. Intel MPX explained: A cross-layer analysis of the intel MPX system stack. SIGMETRICS Perform. Eval. Rev. 46, 1 (Jun. 2018), 111–112.Google ScholarGoogle Scholar
  79. Aleph One. 1996. Smashing the stack for fun and profit. Phrack 7, 49 (Nov. 1996).Google ScholarGoogle Scholar
  80. Mathias Payer, Antonio Barresi, and Thomas R. Gross. 2015. Fine-grained control-flow integrity through binary hardening. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 144–164. Google ScholarGoogle ScholarDigital LibraryDigital Library
  81. Dan Pelleg and Andrew W. Moore. 2000. X-means: Extending K-means with Efficient estimation of the number of clusters. In Proceedings of the International Conference on Machine Learning (ICML’00). 727–734. Google ScholarGoogle ScholarDigital LibraryDigital Library
  82. Alexander Peslyak. 1997. “return-to-libc” attack. Bugtraq (Aug. 1997).Google ScholarGoogle Scholar
  83. J. Pewny, P. Koppe, and T. Holz. 2019. STEROIDS for DOPed Applications: A compiler for automated data-oriented programming. In Proceedings of the IEEE European Symposium on Security and Privacy (Euro S&P’19). 111–126.Google ScholarGoogle Scholar
  84. Qualcomm Technologies Inc.2017. Pointer Authentication on ARMv8.3. Retrieved from https://www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication-on-armv8-3.pdf.Google ScholarGoogle Scholar
  85. Prabhu Rajasekaran, Stephen Crane, David Gens, Yeoul Na, Stijn Volckaert, and Michael Franz. 2020. CoDaRR: Continuous data space randomization against data-only attacks. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security. 494–505. Google ScholarGoogle ScholarDigital LibraryDigital Library
  86. S. Rapps and E. J. Weyuker. 1985. Selecting software test data using data flow information. IEEE Trans. Softw. Eng. SE-11, 4 (1985), 367–375. Google ScholarGoogle ScholarDigital LibraryDigital Library
  87. Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. 2012. Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15, 1 (2012), 1–34. Google ScholarGoogle ScholarDigital LibraryDigital Library
  88. Roman Rogowski, Micah Morton, Forrest Li, Fabian Monrose, Kevin Z. Snow, and Michalis Polychronakis. 2017. Revisiting browser security in the modern era: New data-only attacks and defenses. In Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P’17). IEEE, 366–381.Google ScholarGoogle ScholarCross RefCross Ref
  89. SAFE Secure Computing Platform. 2019. Retrieved August 12, 2019 from http://www.crash-safe.org/.Google ScholarGoogle Scholar
  90. Cole Schlesinger, Karthik Pattabiraman, Nikhil Swamy, David Walker, and Benjamin Zorn. 2014. Modular protections against non-control data attacks. J. Comput. Secur. 22, 5 (2014), 699–742.Google ScholarGoogle ScholarCross RefCross Ref
  91. Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. 2011. Q: Exploit hardening made easy. In Proceedings of the USENIX Security Symposium. 25–41. Google ScholarGoogle ScholarDigital LibraryDigital Library
  92. Edward J. Schwartz, Cory F. Cohen, Jeffrey S. Gennari, and Stephanie M. Schwartz. 2020. A generic technique for automatically finding defense-aware code reuse attacks. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 1789–1801. Google ScholarGoogle ScholarDigital LibraryDigital Library
  93. Jeff Seibert, Hamed Okhravi, and Eric Söderström. 2014. Information leaks without memory disclosures: Remote side channel attacks on diversified code. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 54–65. Google ScholarGoogle ScholarDigital LibraryDigital Library
  94. Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In Proceedings of the USENIX Annual Technical Conference (USENIX’12). 309–318. Google ScholarGoogle ScholarDigital LibraryDigital Library
  95. Hovav Shacham. 2007. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and Communications Security. 552–561. Google ScholarGoogle ScholarDigital LibraryDigital Library
  96. Xiaokui Shu, Danfeng Yao, and Naren Ramakrishnan. 2015. Unearthing stealthy program attacks buried in extremely long execution paths. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 401–413. Google ScholarGoogle ScholarDigital LibraryDigital Library
  97. Xiaokui Shu, Danfeng Yao, Naren Ramakrishnan, and Trent Jaeger. 2017. Long-span program behavior modeling and attack detection. ACM Trans. Priv. Secur. 20, 4 (2017), 1–28. Google ScholarGoogle ScholarDigital LibraryDigital Library
  98. Xiaokui Shu, Danfeng (Daphne) Yao, Naren Ramakrishnan, and Trent Jaeger. 2017. Long-span program behavior modeling and attack detection. ACM Trans. Priv. Secur. 20, 4 (Sep. 2017), 1–28. Google ScholarGoogle ScholarDigital LibraryDigital Library
  99. Kanad Sinha and Simha Sethumadhavan. 2018. Practical memory safety with REST. In Proceedings of the ACM/IEEE 45th Annual International Symposium on Computer Architecture (ISCA’18). IEEE, 600–611. Google ScholarGoogle ScholarDigital LibraryDigital Library
  100. SIR. 2006. Software-artifact Infrastructure Repository. Retrieved April 25, 2020 from http://sir.unl.edu/.Google ScholarGoogle Scholar
  101. Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2013. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 574–588. Google ScholarGoogle ScholarDigital LibraryDigital Library
  102. Chengyu Song, Hyungon Moon, Monjur Alam, Insu Yun, Byoungyoung Lee, Taesoo Kim, Wenke Lee, and Yunheung Paek. 2016. HDFI: Hardware-assisted data-flow isolation. In Proceedings of the IEEE Symposium on Security and Privacy (SP’16). IEEE, 1–17.Google ScholarGoogle ScholarCross RefCross Ref
  103. Dokyung Song, Julian Lettner, Prabhu Rajasekaran, Yeoul Na, Stijn Volckaert, Per Larsen, and Michael Franz. 2019. SoK: Sanitizing for security. In Proceedings of the IEEE Symposium on Security and Privacy (SP’19). IEEE, 1275–1295.Google ScholarGoogle ScholarCross RefCross Ref
  104. Z. Sun, B. Feng, L. Lu, and S. Jha. 2020. OAT: Attesting operation integrity of embedded devices. In Proceedings of the IEEE Symposium on Security and Privacy (SP’20). 1433–1449.Google ScholarGoogle Scholar
  105. Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. Sok: Eternal war in memory. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 48–62. Google ScholarGoogle ScholarDigital LibraryDigital Library
  106. Adrian Tang, Simha Sethumadhavan, and Salvatore Stolfo. 2015. Heisenbyte: Thwarting memory disclosure attacks using destructive code reads. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 256–267. Google ScholarGoogle ScholarDigital LibraryDigital Library
  107. PaX Team. 2003. PaX address space layout randomization (ASLR). Retrieved July 27, 2021 from https://pax.grsecurity.net/docs/aslr.txt.Google ScholarGoogle Scholar
  108. Testing Exploitable Buffer Overflows From Open Source Code. 2018. Retrieved January 8, 2018 from https://samate.nist.gov/SRD/view.php?tsID=88.Google ScholarGoogle Scholar
  109. The Rust Programming Language. 2019. Retrieved August 12, 2019 from https://www.rust-lang.org/.Google ScholarGoogle Scholar
  110. Gildo Torres and Chen Liu. 2016. Can data-only exploits be detected at runtime using hardware events?: A case study of the heartbleed vulnerability. In Proceedings of the Hardware and Architectural Support for Security and Privacy 2016. ACM, 1–7. Google ScholarGoogle ScholarDigital LibraryDigital Library
  111. Stylianos Tsampas, Akram El-Korashy, Marco Patrignani, Dominique Devriese, Deepak Garg, and Frank Piessens. 2017. Towards automatic compartmentalization of C programs on capability machines. In Workshop on Foundations of Computer Security 2017. 1–14.Google ScholarGoogle Scholar
  112. Julien Vanegue. 2013. The Automated Exploitation Grand Challenge. Retrieved February 12, 2020 from https://openwall.info/wiki/_media/people/jvaneg ue/files/aegc_vanegue.pdf.Google ScholarGoogle Scholar
  113. Kuznetsov Volodymyr, Szekeres Laszlo, Payer Mathias, Candea George, and R. Sekar. 2014. Code-pointer integrity. In Proceedings of the 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI’14). Google ScholarGoogle ScholarDigital LibraryDigital Library
  114. Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. 1993. Efficient software-based fault isolation. In Proceedings of the 14th ACM Symposium on Operating Systems Principles. 203–216. Google ScholarGoogle ScholarDigital LibraryDigital Library
  115. Richard Wartell, Vishwath Mohan, Kevin W. Hamlen, and Zhiqiang Lin. 2012. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, 157–168. Google ScholarGoogle ScholarDigital LibraryDigital Library
  116. Robert N. M. Watson, Jonathan Woodruff, Peter G. Neumann, Simon W. Moore, Jonathan Anderson, David Chisnall, Nirav Dave, Brooks Davis, Khilan Gudka, Ben Laurie, et al. 2015. Cheri: A hybrid capability-system architecture for scalable software compartmentalization. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 20–37. Google ScholarGoogle ScholarDigital LibraryDigital Library
  117. David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis, Junfeng Yang, and William Aiello. 2016. Shuffler: Fast and deployable continuous code re-randomization. In Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI’16). 367–382. Google ScholarGoogle ScholarDigital LibraryDigital Library
  118. Jonathan Woodruff, Robert N. M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. 2014. The CHERI capability model: Revisiting RISC in an age of risk. In Proceedings of the ACM/IEEE 41st International Symposium on Computer Architecture (ISCA’14). IEEE, 457–468. Google ScholarGoogle ScholarDigital LibraryDigital Library
  119. Jidong Xiao, Hai Huang, and Haining Wang. 2015. Kernel data attack is a realistic security threat. In Proceedings of the International Conference on Security and Privacy in Communication Systems. Springer, 135–154.Google ScholarGoogle ScholarCross RefCross Ref
  120. Danfeng Yao, Xiaokui Shu, Long Cheng, and Salvatore J. Stolfo. 2017. Anomaly detection as a service: Challenges, advances, and opportunities. Synth. Lect. Inf. Secur. Priv. Trust 9, 3 (2017), 1–173. Google ScholarGoogle ScholarDigital LibraryDigital Library
  121. Danfeng (Daphne) Yao, Xiaokui Shu, Long Cheng, and Salvatore J. Stolfo. 2017. Anomaly detection as a service: Challenges, advances, and opportunities. Synth. Lect. Inf. Secur. Priv. Trust 9, 3 (2017), 1–173.Google ScholarGoogle ScholarCross RefCross Ref
  122. Suan Hsi Yong and Susan Horwitz. 2003. Protecting C programs from attacks via invalid pointer dereferences. In Proceedings of the 9th European Software Engineering Conference Held Jointly with 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering, Vol. 28. 307–316. Google ScholarGoogle ScholarDigital LibraryDigital Library
  123. Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, Laszlo Szekeres, Stephen McCamant, Dawn Song, and Wei Zou. 2013. Practical control flow integrity and randomization for binary executables. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP’13). IEEE, 559–573. Google ScholarGoogle ScholarDigital LibraryDigital Library
  124. Hao Zhang, Danfeng Daphne Yao, Naren Ramakrishnan, and Zhibin Zhang. 2016. Causality reasoning about network events for detecting stealthy malware activities. Comput. Secur. 58 (2016), 180–198. Google ScholarGoogle ScholarDigital LibraryDigital Library
  125. Mingwei Zhang and R. Sekar. 2013. Control flow integrity for COTS binaries. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security’13). 337–352. Google ScholarGoogle ScholarDigital LibraryDigital Library
  126. X. Zhuang, T. Zhang, and S. Pande. 2006. Using branch correlation to identify infeasible paths for anomaly detection. In Proceedings of the IEEE/ACM International Symposium on Microarchitecture (MICRO’06). 113–122. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Exploitation Techniques for Data-oriented Attacks with Existing and Potential Defense Approaches

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Privacy and Security
          ACM Transactions on Privacy and Security  Volume 24, Issue 4
          November 2021
          295 pages
          ISSN:2471-2566
          EISSN:2471-2574
          DOI:10.1145/3476876
          Issue’s Table of Contents

          Copyright © 2021 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 2 September 2021
          • Accepted: 1 April 2021
          • Received: 1 May 2020
          Published in tops Volume 24, Issue 4

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
          • Research
          • Refereed

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        HTML Format

        View this article in HTML Format .

        View HTML Format
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!