Practical Run-Time Mitigations Against Data-Oriented Attacks
- Author(s): Rajasekaran, Prabhu Karthikeyan
- Advisor(s): Franz, Michael
- et al.
Data-oriented exploits are growing in popularity as defenders are closing attack vectors
related to control flow exploits. Data Oriented Programming (DOP), a generalization of data-oriented attacks,
stitches together data-oriented gadgets and can perform Turing-complete computations in memory. Besides,
data-oriented exploits modify the behavior of the program without violating its control flow, and
therefore cannot be stopped by ubiquitous control flow mitigations such as Data Execution Prevention (DEP),
Address Space Layout Randomization (ASLR) and Control Flow Integrity (CFI).
A unified solution cannot address all memory corruption errors as there are different classes of memory corruption
errors and each of them requires careful considerations. The arguments to variadic functions in C and C++ cannot be
statically type-checked by the compiler and therefore expose a significant memory corruption attack surface.
In this dissertation, we present a comprehensive approach that
effectively type-checks variadic function arguments and thus addresses the attacks that exploit variadic function
related memory corruption errors. Our evaluation shows that our solution is practical
as the measured overhead is negligible (0.45%) and effective as we show in several case studies.
To prevent data-oriented exploits from
deterministically corrupting program data, a probabilistic fine-grained randomization defense Data Space Randomization
(DSR) was proposed. DSR randomizes the representation of program data in memory to prevent illegitimate usage of data.
DSR employs static analysis to classify data objects into equivalence
classes. DSR works by masking memory load and store instructions using XOR operations.
Masks are chosen (i) to not interfere with intended data flows and (ii) such that masking likely
interferes with unintended flows introduced by malicious program inputs.
We show using two new DSR bypass attacks, one that directly discloses memory and another using speculative execution,
that the existing DSR defenses are still not secure. We then improve upon the state of
the art DSR and propose the first dynamic DSR scheme resilient to disclosure attacks. Our mitigation continuously
rerandomizes the masks used in loads and stores, and re-masks all memory objects to remain transparent w.r.t.
program execution. Our evaluation confirms that our approach successfully thwarts these attacks with limited
run-time overhead in standard benchmarks as well as real-world applications.