Exploitation Techniques and Defenses for Data-Oriented Attacks

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review


Research units

  • Pennsylvania State University
  • Virginia Tech
  • Clemson University


Data-oriented attacks manipulate non-control data to alter a program’s benign behavior without violating its control-flow integrity. It has been shown that such attacks can cause significant damage even in the presence of control-flow defense mechanisms. However, these threats have not been adequately addressed. In this systematization of knowledge (SoK) paper, we first map data-oriented exploits, including Data-Oriented Programming (DOP) and Block-Oriented Programming attacks, to their assumptions/requirements and attack capabilities. We also compare known defenses against these attacks, in terms of approach, detection capabilities, overhead, and compatibility. Then we discuss the possible frequency anomalies of data-oriented attacks, especially the frequency anomalies of DOP attacks with experimental proofs. It is generally believed that control flows may not be useful for data-oriented security. However, the frequency anomalies show that data-oriented attacks (especially DOP attacks) may generate side-effects on control-flow behavior in multiple dimensions. In the end, we discuss challenges for building deployable data-oriented defenses and open research questions.


Original languageEnglish
Title of host publicationProceedings - 2019 IEEE Secure Development, SecDev 2019
Publication statusPublished - 2019
MoE publication typeA4 Article in a conference publication
EventIEEE Secure Development Conference - McLean, United States
Duration: 25 Sep 201927 Sep 2019


ConferenceIEEE Secure Development Conference
Abbreviated titleSecDev
CountryUnited States

    Research areas

  • Data-oriented attacks, Defenses, Exploitation techniques

ID: 38544717