Skip to main content
eScholarship
Open Access Publications from the University of California

Practical Run-Time Mitigations Against Data-Oriented Attacks

  • Author(s): Rajasekaran, Prabhu Karthikeyan
  • Advisor(s): Franz, Michael
  • et al.
Abstract

Data-oriented exploits are growing in popularity as defenders are closing attack vectors

related to control flow exploits. Data Oriented Programming (DOP), a generalization of data-oriented attacks,

stitches together data-oriented gadgets and can perform Turing-complete computations in memory. Besides,

data-oriented exploits modify the behavior of the program without violating its control flow, and

therefore cannot be stopped by ubiquitous control flow mitigations such as Data Execution Prevention (DEP),

Address Space Layout Randomization (ASLR) and Control Flow Integrity (CFI).

A unified solution cannot address all memory corruption errors as there are different classes of memory corruption

errors and each of them requires careful considerations. The arguments to variadic functions in C and C++ cannot be

statically type-checked by the compiler and therefore expose a significant memory corruption attack surface.

In this dissertation, we present a comprehensive approach that

effectively type-checks variadic function arguments and thus addresses the attacks that exploit variadic function

related memory corruption errors. Our evaluation shows that our solution is practical

as the measured overhead is negligible (0.45%) and effective as we show in several case studies.

To prevent data-oriented exploits from

deterministically corrupting program data, a probabilistic fine-grained randomization defense Data Space Randomization

(DSR) was proposed. DSR randomizes the representation of program data in memory to prevent illegitimate usage of data.

DSR employs static analysis to classify data objects into equivalence

classes. DSR works by masking memory load and store instructions using XOR operations.

Masks are chosen (i) to not interfere with intended data flows and (ii) such that masking likely

interferes with unintended flows introduced by malicious program inputs.

We show using two new DSR bypass attacks, one that directly discloses memory and another using speculative execution,

that the existing DSR defenses are still not secure. We then improve upon the state of

the art DSR and propose the first dynamic DSR scheme resilient to disclosure attacks. Our mitigation continuously

rerandomizes the masks used in loads and stores, and re-masks all memory objects to remain transparent w.r.t.

program execution. Our evaluation confirms that our approach successfully thwarts these attacks with limited

run-time overhead in standard benchmarks as well as real-world applications.

Main Content
Current View