Data-flow bending: On the effectiveness of data-flow integrity

Abstract

Most software attacks subvert the intended data-flow of a program via exploiting the memory corruption vulnerabilities. Data-Flow Integrity (DFI) is a generic defense against such attacks. Its security guarantee mainly depends on the accuracy of the static Data-Flow Graph (DFG) generated from Data-Flow Analysis (DFA), but the static DFG is conservatively over-approximated due to the imprecision of DFA. Hence a natural question is: what is the real protective power of DFI and how to measure it? In this work, we first evaluate the effectiveness of DFI based on the constructed memory corruption offense-defense model and the proposed attack Data-Flow Bending (DFB). We show how DFB corrupts memory data while adhering to DFI through a proof-of-concept exploit. Furthermore, we verify the possibility of the state-of-the-art data-oriented attacks using practical cases in the presence of DFI. Our work indicates that DFI may be ineffective against the exploitation of memory corruption vulnerabilities in certain circumstances, and that DFB can circumvent DFI to carry out memory corruption attacks.