Abstract
By developing a Turing-complete non-control data attack to bypass existing defenses against control flow attacks, Data-Oriented Programming (DOP) has gained significant attention from researchers in recent years. While several defense techniques have been proposed to mitigate DOP attacks, they often introduce substantial overhead due to the blind protection of a large range of data objects. To address this issue, we focus on selecting and protecting the specific target data that are of interest to DOP attackers, rather than securing the entire non-control data in the program. In this regard, we perform static analysis on 20 real-world applications and identify the target data, verifying that they constitute only a small percentage of the overall program, averaging around 3%. Additionally, we propose a semi-automated tool to analyze how to chain operations on the target data in these 20 applications to achieve Turing-complete attacks. Furthermore, we introduce DSLR-: a low-overhead Data Structure Layout Randomization (DSLR) method, which modifies the existing DSLR technique to only randomize the selected target data for DOP. Experimental results demonstrate that DSLR- effectively mitigates DOP attacks, reducing performance overhead by 71.2% and memory overhead by 82.5% compared to the original DSLR technique.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
