Exploitation Techniques and Defenses for Data-Oriented Attacks

Long Cheng, Hans Liljestrand, Md Salman Ahmed, Thomas Nyman, Trent Jaeger, N. Asokan, Danfeng (Daphne) Yao

Tutkimustuotos: Artikkeli kirjassa/konferenssijulkaisussaConference contributionScientificvertaisarvioitu

Abstrakti

Data-oriented attacks manipulate non-control data to alter a program’s benign behavior without violating its control-flow integrity. It has been shown that such attacks can cause significant damage even in the presence of control-flow defense mechanisms. However, these threats have not been adequately addressed. In this systematization of knowledge (SoK) paper, we first map data-oriented exploits, including Data-Oriented Programming (DOP) and Block-Oriented Programming attacks, to their assumptions/requirements and attack capabilities. We also compare known defenses against these attacks, in terms of approach, detection capabilities, overhead, and compatibility. Then we discuss the possible frequency anomalies of data-oriented attacks, especially the frequency anomalies of DOP attacks with experimental proofs. It is generally believed that control flows may not be useful for data-oriented security. However, the frequency anomalies show that data-oriented attacks (especially DOP attacks) may generate side-effects on control-flow behavior in multiple dimensions. In the end, we discuss challenges for building deployable data-oriented defenses and open research questions.
AlkuperäiskieliEnglanti
OtsikkoProceedings - 2019 IEEE Secure Development, SecDev 2019
KustantajaIEEE
Sivut114-128
Sivumäärä15
ISBN (elektroninen)978-1-5386-7289-1
DOI - pysyväislinkit
TilaJulkaistu - 2019
OKM-julkaisutyyppiA4 Artikkeli konferenssijulkaisuussa
TapahtumaIEEE Secure Development Conference - McLean, Yhdysvallat
Kesto: 25 syyskuuta 201927 syyskuuta 2019

Conference

ConferenceIEEE Secure Development Conference
LyhennettäSecDev
MaaYhdysvallat
KaupunkiMcLean
Ajanjakso25/09/201927/09/2019

Sormenjälki

Sukella tutkimusaiheisiin 'Exploitation Techniques and Defenses for Data-Oriented Attacks'. Ne muodostavat yhdessä ainutlaatuisen sormenjäljen.

Siteeraa tätä