Non-control Data Research Articles

Key-area Cyberspace Mimic Defense Against Data-Oriented Attacks

As modern systems widely deploy protective measures for control data in memory, such as Control-Flow Integrity (CFI), attackers’ ability to manipulate control data is greatly restricted. Consequently, attackers are turning to opportunities to manipulate non-control data in memory (known as Data-Oriented Attacks, or DOAs), which have been proven to pose significant security threats to memory. However, existing techniques to mitigate DOAs often introduce significant overhead due to the indiscriminate protection of a large range of data objects. To address this challenge, this paper adopts a Cyberspace Mimic Defense (CMD) strategy, a generic framework for addressing endogenous security vulnerabilities, to prevent attackers from executing DOAs using known or unknown security flaws. Specifically, we introduce a formalized expression algorithm that assesses whether DOA-attackers can construct inputs to exploit vulnerability points. Building on this, we devise a key-area CMD strategy that modifies the code pathway from input to the vulnerability point, thereby effectively thwarting the activation of the vulnerability. Finally, our simulation experiments demonstrate that the key-area CMD strategy can effectively prevent DOAs by selectively diversifying parts of the program code.

Bitmap-Based Security Monitoring for Deeply Embedded Systems

Deeply embedded systems powered by microcontrollers are becoming popular with the emergence of Internet of Things (IoT) technology. However, these devices primarily run C/C++ code and are susceptible to memory bugs, which can potentially lead to both control data attacks and non-control data attacks. Existing defense mechanisms (such as control flow integrity (CFI), data flow integrity (DFI) and write integrity testing (WIT), etc.) consume a massive amount of resources, making them less practical in real products. To make it lightweight, we design a bitmap-based allowlist mechanism to unify the storage of the runtime data for protecting both control data and non-control data. The memory requirements are constant and small, regardless of the number of deployed defense mechanisms. We store the allowlist in the TrustZone to ensure its integrity and confidentiality. Meanwhile, we perform an offline analysis to detect potential collisions and make corresponding adjustments when if happens. We have implemented our idea on an ARM Cortex-M based development board. Our evaluation results show a substantial reduction in memory consumption when deploying the proposed CFI and DFI mechanisms, without compromising runtime performance. Specifically, our prototype enforces CFI and DFI at a cost of just 2.09% performance overhead and 32.56% memory overhead on average.

DSLR–: A low-overhead data structure layout randomization for defending data-oriented programming

By developing a Turing-complete non-control data attack to bypass existing defenses against control flow attacks, Data-Oriented Programming (DOP) has gained significant attention from researchers in recent years. While several defense techniques have been proposed to mitigate DOP attacks, they often introduce substantial overhead due to the blind protection of a large range of data objects. To address this issue, we focus on selecting and protecting the specific target data that are of interest to DOP attackers, rather than securing the entire non-control data in the program. In this regard, we perform static analysis on 20 real-world applications and identify the target data, verifying that they constitute only a small percentage of the overall program, averaging around 3%. Additionally, we propose a semi-automated tool to analyze how to chain operations on the target data in these 20 applications to achieve Turing-complete attacks. Furthermore, we introduce DSLR-: a low-overhead Data Structure Layout Randomization (DSLR) method, which modifies the existing DSLR technique to only randomize the selected target data for DOP. Experimental results demonstrate that DSLR- effectively mitigates DOP attacks, reducing performance overhead by 71.2% and memory overhead by 82.5% compared to the original DSLR technique.

Misuse Patterns from the Threat of Modification of Non-Control Data in Network Function Virtualization

Network Function Virtualization (NFV) is a virtual network model, the goal of which is a cost-efficient transition of the hardware infrastructure into a flexible and reliable software platform. However, this transition comes at the cost of more security threats. A key part of this virtualization environment is the hypervisor, which emulates the hardware resources to provide a runtime environment for virtual machines (VMs). The hypervisor is considered a major attack vector and must be secured to ensure network service continuity. The virtualization environment contains critical non-control data where compromise could lead to several misuses, including information leakage and privilege and resource modification. In this paper, we present a misuse pattern for an attack that exploits the security vulnerabilities of the hypervisor to compromise the integrity of non-control data in the NFV environment. Misuse patterns are used to describe how attacks are carried out from the attackers’ perspective. The threat of modification of non-control data can lead to several misuses, and in this paper, we discuss three of them. The defenses to this attack can be incorporated into the Security Reference Architecture (SRA) of the NFV system to prevent these misuses.

Moving target defense for the security and resilience of mixed time and event triggered cyber–physical systems

Memory corruption attacks such as code injection, code reuse, and non-control data attacks have become widely popular for compromising safety-critical Cyber–Physical Systems (CPS). Moving target defense (MTD) techniques such as instruction set randomization (ISR), address space randomization (ASR), and data space randomization (DSR) can be used to protect systems against such attacks. CPS often use time-triggered architectures to guarantee predictable and reliable operation. MTD techniques can cause time delays with unpredictable behavior. To protect CPS against memory corruption attacks, MTD techniques can be implemented in a mixed time and event-triggered architecture that provides capabilities for maintaining safety and availability during an attack. This paper presents a mixed time and event-triggered MTD security approach based on the ARINC 653 architecture that provides predictable and reliable operation during normal operation and rapid detection and reconfiguration upon detection of attacks. We leverage a hardware-in-the-loop testbed and an advanced emergency braking system (AEBS) case study to show the effectiveness of our approach.

Exploitation Techniques for Data-oriented Attacks with Existing and Potential Defense Approaches

Data-oriented attacks manipulate non-control data to alter a program’s benign behavior without violating its control-flow integrity. It has been shown that such attacks can cause significant damage even in the presence of control-flow defense mechanisms. However, these threats have not been adequately addressed. In this survey article, we first map data-oriented exploits, including Data-Oriented Programming (DOP) and Block-Oriented Programming (BOP) attacks, to their assumptions/requirements and attack capabilities. Then, we compare known defenses against these attacks, in terms of approach, detection capabilities, overhead, and compatibility. It is generally believed that control flows may not be useful for data-oriented security. However, data-oriented attacks (especially DOP attacks) may generate side effects on control-flow behaviors in multiple dimensions (i.e., incompatible branch behaviors and frequency anomalies). We also characterize control-flow anomalies caused by data-oriented attacks. In the end, we discuss challenges for building deployable data-oriented defenses and open research questions.

Dynamic Information Flow Tracking: Taxonomy, Challenges, and Opportunities.

Dynamic information flow tracking (DIFT) has been proven an effective technique to track data usage; prevent control data attacks and non-control data attacks at runtime; and analyze program performance. Therefore, a series of DIFT techniques have been developed recently. In this paper, we summarize the current DIFT solutions and analyze the features and limitations of these solutions. Based on the analysis, we classify the existing solutions into three categories, i.e., software, hardware, software and hardware co-design. We discuss the DIFT design from the perspective of whole system and point out the limitations of current DIFT frameworks. Potential enhancements to these solutions are also presented. Furthermore, we present suggestions about the possible future direction of DIFT solutions so that DIFT can help improve security levels.

Checking is Believing: Event-Aware Program Anomaly Detection in Cyber-Physical Systems

Securing cyber-physical systems (CPS) against malicious attacks is of paramount importance because these attacks may cause irreparable damages to physical systems. Recent studies have revealed that control programs running on CPS devices suffer from both control-oriented attacks (e.g., code-injection or code-reuse attacks) and data-oriented attacks (e.g., non-control data attacks). Unfortunately, existing detection mechanisms are insufficient to detect runtime data-oriented exploits, due to the lack of runtime execution semantics checking. In this work, we propose Orpheus, a new security methodology for defending against data-oriented attacks by enforcing cyber-physical execution semantics. We first present a general method for reasoning cyber-physical execution semantics of a control program (i.e., causal dependencies between the physical context and program control flows), including the event identification and dependence analysis. As an instantiation of Orpheus, we then present a new program behavior model, i.e., the event-aware finite-state automaton (eFSA). eFSA takes advantage of the event-driven nature of CPS control programs and incorporates event checking in anomaly detection. It detects data-oriented exploits if a specific physical event is missing along with the corresponding event dependent state transition. We evaluate our prototype's performance by conducting case studies under data-oriented attacks. Results show that eFSA can successfully detect different runtime attacks. Our prototype on Raspberry Pi incurs a low overhead, taking 0.0001s for each state transition integrity checking, and 0.063s~0.211s for the cyber-physical contextual consistency checking.

Boundary Bit: Architectural Bound Checking for Buffer-Overflow Protection

We propose Boundary Bit, a new architectural bound-checking approach that detects and prevents buffer-overflow attacks. Boundary Bit extends an architecture by associating a bit to each memory entry. Software can set a (boundary) bit to delimit an object. On each memory access, the hardware will dynamically validate the object's bound using the boundary bit. With minimal hints from the compiler, our architectural design eliminates most (if not all) types of buffer-overflow attacks. These include attacks on non-control data (variables and arguments) and array-indexing errors. We evaluate the performance of Boundary Bit using simulation, and the results show that the majority of performance overheads lies in bit scanning operations. To mitigate performance overheads, we introduce a hardware bitmap to act as a cache. The results from our simulation shows that the hardware bitmap can absorb most overhead from bit scanning, which in the best-case scenario translated to 30 times speed up compared to the version that does not utilize bitmap cache.

DO-RA: Data-oriented runtime attestation for IoT devices

Remote attestation is an excellent approach to confirm the security states of Internet of Things (IoT) devices. It allows an entity (verifier) to validate the integrity of a potentially compromised platform (prover). Most of the current attestation schemes are static, which verify only the software integrity of devices. Recently, some runtime attestation schemes based on the Control Flow Graph (CFG) of the program have been proposed to collect the runtime information. However, the algorithm for constructing CFG only focuses on the rationality of the programs’ control flow, and ignores the possibility that attackers could compromise the control flow of the device by modifying key data. Some mitigation of runtime exploitation technologies take into account the Unique Code Target (UCT) property of control flow, but there are limitations to their algorithms abilities to find out the constraining data. In this paper, we present a Data-Oriented Control Flow Graph (DO-CFG) that can match a single legitimate target for each control-flow transfer, which guarantees both the rationality and the full uniqueness of programs’ control flow. Furthermore, we propose a Data-Oriented Runtime Attestation (DO-RA) scheme based on DO-CFG. It collects some critical non-control data to enhance the detection ability of the attestation scheme, which further ensures the uniqueness of the control flow. We also present a detailed proof-of-concept implementation and analyze our protocol based on Raspberry Pi. We simulate several real applications to evaluate the security and performance of DO-RA, which demonstrates that our scheme provides a more comprehensive detection capability within an acceptable overhead.

M-PIVAD - Virtual memory based approach against non-control data attacks

Computing systems are under the persistent threat of information leakage and unauthorized access. A constant arms race is on to find effective defensive mechanisms against adversarial accesses. As program exploitation techniques are evolving in sophistication, current anomaly detection strategies are proving to be incompetent against modern attacks. This paper describes the Memory usage-based Program Integrity Verifier and Anomaly Detector (M-PIVAD), an intuitive approach for detecting anomalies in program execution. We propose an attack detection scenario, based on segmented virtual memory aggregation and a two-level detection strategy, specifically targeted towards non-control data attacks like Data-Oriented Programming (DOP) and Return Oriented Programming (ROP). The novel graph-based temporal behavioural model proposed here detects an anomaly at the quickest possible instance of occurrence of the attack. Experimental evaluations of the real world programs like ‘sudo’ and ‘nginx’ show the detection of anomalous deviation at 12.25% and 36.47% of the execution of these programs, respectively. Experiments using fifteeen non-control data attack-vectors and seven different applications for detecting anomalies in program execution, indicate a detection accuracy of 93.16%.

Value-Based Constraint Control Flow Integrity

Control flow integrity (CFI) is a generic technique that prevents a control flow hijacking attacks by verifying the legitimacy of indirect branches against a predefined set of targets. State-of-the-art CFI solutions focus on reducing the number of targets using the context of a program such as the path to the indirect branch and the origin of the code pointer. However, these solutions work with an impractical assumption that the attacker only compromises control data; non-control data such as condition data that can also be abused by attackers are not considered. To overcome these limitations, in this paper, we propose value-based constraint CFI (vCFI) to improve the effectiveness of CFI by retrieving and protecting all data that can potentially be manipulated for control flow hijacking. We first perform static analysis such as dependency, condition, and data analyses to derive all control flow-related data. Then, vCFI protects these data during runtime by instrumenting a program to be hardened. We implemented vCFI as a compiler extension and evaluated its performance using SPEC CPU2006. The performance degradation caused by adopting vCFI was reasonable, and the average overhead was 13.6%.

Shapeshifter: Intelligence-driven data plane randomization resilient to data-oriented programming attacks

Non-control data attacks are becoming an increasingly major threat to cyber security. Specifically, data-oriented programming (DOP) attacks manipulate the non-control data in the target program to achieve malicious goals without violating control-flow integrity (CFI). Pioneering research has shown that such attacks can be equally as powerful and effective as control-flow attacks. However, these threats have not been adequately addressed because most previous defence mechanisms focus on preventing control-flow attacks. To this end, we propose Shapeshifter, an intelligence-driven data plane randomization technique that is resilient to non-control data attacks. We define and identify the security-critical data objects that need to be randomized through strategic behaviour analysis for DOP attacks. Driven by the threat intelligence from DOP attacks, we construct a reasonable whitelist for randomization and design a runtime randomization strategy. Shapeshifter adaptively randomizes the memory representation of both the data structure instances and the variables on the whitelist at runtime, thereby dynamically changing the attack surface and increasing the difficulty of launching DOP attacks. We implement Shapeshifter on top of the LLVM compiler and conduct an evaluation. The evaluation results show the effectiveness of Shapeshifter in mitigating non-control data attacks with a 20.1% runtime overhead on average.

DOPdefenderPlus: A Data-Oriented Programming Attack Mitigation Technique for Complex Software

With the development of research on noncontrol data attacks and defense, the threat of data-oriented programming (DOP) attacks has attracted increasing attention from the security research community. DOP attacks can manipulate security-critical noncontrol data to alter program behavior without violating control-flow integrity (CFI) and can circumvent the most effective defenses against control-data attacks. Among DOP attacks, the misuse of user input data is a major contributor. Moreover, existing defense methods, e.g., DOPdefender, currently lack security protection for user input data. To effectively defend against DOP attacks, we propose a novel technique, DOPdefenderPlus, which draws on the idea of divide-and-conquer and uses the modular authentication technique to make DOPdefender scalable for complex software that is designed modularly, as well as introduce the Inputguard technique to protect the program input data. The DOPdefenderPlus is an enhanced version of DOPdefender, which overcomes some limitations of DOPdefender. We implement DOPdefenderPlus on a Linux operating system and use it to defend against multiple realistic DOP attacks. We also evaluate the performance of our method, and all the results show that DOPdefenderPlus can overcome the two limitations of DOPdefender while introducing a moderate runtime overhead.

DOPdefender: An approach to thwarting data-oriented programming attacks based on a data-aware automaton

In recent years, non-control data attacks have become a popular topic in the field of network security. These attacks, such as data-oriented programming (DOP), do not aim to circumvent the control-flow integrity (CFI) protections; rather, they need corrupt only the security-critical non-control data of the target program. Non-control data attacks have been shown to achieve Turing-complete computation. In this paper, we build a non-control data attack description model and analyse feasible defence strategies. We present a new program behaviour model, i.e., the data-aware finite-state automaton (dFSA). Based on the dFSA, we propose the DOPdefender method, which is a method of defending against non-control data attacks. DOPdefender monitors the target process and is aware of the security-critical non-control data that are expected to be operated at runtime, thus validating the legality of the operation on the security-critical non-control data. DOPdefender can prevent adversaries from corrupting the security-critical non-control data of the target program and defend against existing non-control data attacks. We evaluate our method on a Linux operating system. An effectiveness test and a performance test indicate the effectiveness of DOPdefender in thwarting non-control data attacks with a 28.4% runtime overhead on average for CPU-intensive programs and a 13.5% runtime overhead on average for I/O-intensive programs. In the Limitations Section, we discuss a solution to making our method scalable for large-scale programs under some guiding information.

HIMDroid—A Measurement of Android Kernel Based on Kernel Data Invariants

In order to reduce the threat of rootkits to the integrity of Android system, based on kernel data invariants, an Android kernel measurement method HIMDroid is proposed. Recent work has demonstrated that rootkits malicilously modify not only control data but also non-control data. HIMDroid can detect rootkits modifying both control and non-control data. The data structures of the measured kernel invariants are gained by analyzing the kernel control and non-control data that affect the integrity of the kernel during the running of the Android system. By using ARM virtualization technology, HIMDroid separates the measurement module from the measured Android system, preventing the measurement software being attacked. These core data structures of the measured kernel invariants are reconstructed and analyzed in the measurement module. HIMDroid, on the one hand, measures control data and non-control data in the Android kernel while eliminating the attack surface of the Android kernel layer to the measurement software, and effectively reducing the TCB (trusted computing base) of the monitoring model; on the other hand, it has no significant performance loss.

Long-Span Program Behavior Modeling and Attack Detection

Intertwined developments between program attacks and defenses witness the evolution of program anomaly detection methods. Emerging categories of program attacks, e.g., non-control data attacks and data-oriented programming, are able to comply with normal trace patterns at local views. This article points out the deficiency of existing program anomaly detection models against new attacks and presents long-span behavior anomaly detection (LAD), a model based on mildly context-sensitive grammar verification. The key feature of LAD is its reasoning of correlations among arbitrary events that occurred in long program traces. It extends existing correlation analysis between events at a stack snapshot, e.g., paired call and ret, to correlation analysis among events that historically occurred during the execution. The proposed method leverages specialized machine learning techniques to probe normal program behavior boundaries in vast high-dimensional detection space. Its two-stage modeling/detection design analyzes event correlation at both binary and quantitative levels. Our prototype successfully detects all reproduced real-world attacks against sshd, libpcre, and sendmail. The detection procedure incurs 0.1 ms to 1.3 ms overhead to profile and analyze a single behavior instance that consists of tens of thousands of function call or system call events.

DADE: a fast data anomaly detection engine for kernel integrity monitoring

In computer systems, ensuring the integrity of the kernel assumes importance as attacks against the kernel allow an adversary to obtain the highest privilege within a compromised system. For this task, typically, an external monitor would perform memory introspection and verify the integrity of kernel data by checking whether certain integrity specifications hold or not. These specifications were commonly written by hand in the past. However, as adversaries turned their eyes to attacking a system through non-control kernel data, the need arose for verifying non-control kernel data, which is, unfortunately, nontrivial to do manually. Acknowledging this, Baliga et al. (Computer security applications conference, 2008. ACSAC 2008. Annual. IEEE, 2008) suggested a framework leveraging machine learning to generate integrity specifications. This generated specifications for both control and non-control data across the entire kernel with little human involvement. Unfortunately, there is a problem in the original design of this framework in regard to its practicality for deployment in real-world systems. In this paper, we propose a new design that accelerates the overall introspection process by virtually eliminating the booting delay that was needed in prior work. To evaluate the effectiveness of our design, we have implemented a prototype engine DADE and found that it only induces a delay of 68.49 ms with each reboot and a delay of 900 ms for an initial scan and an average of 160 ms for subsequent scans.

Modular protections against non-control data attacks

This paper introduces Yarra, a conservative extension to C to protect applications from non-control data attacks. Yarra programmers specify their data integrity requirements by declaring critical data types and ascribing these critical types to important data structures. Yarra guarantees that such critical data is only written through pointers with the given static type. Any attempt to write to critical data through a pointer with an invalid type (perhaps because of a buffer overrun) is detected dynamically. We formalize Yarra's semantics and prove the soundness of a program logic designed for use with the language. A key contribution is to show that Yarra's semantics are strong enough to support sound local reasoning and the use of a frame rule, even across calls to unknown, unverified code. We evaluate a prototype implementation of a compiler and runtime system for Yarra by using it to harden four common server applications against known non-control data vulnerabilities. We show that Yarra defends against these attacks with only a negligible impact on their end-to-end performance.

Systemic threats to hypervisor non‐control data

Hypervisors are becoming a widespread virtualisation layer in current computer systems. Recent successful attacks against hypervisors indicate that they face the similar integrity threats as traditional operating systems. Current approaches that secure hypervisors mainly focus on code or control-data integrity, without paying attention to non-control data integrity. In this study the authors construct attacks that target hypervisor non-control data to demonstrate which types of data within the Xen hypervisor are critical to system security. It shows privilege, resource utilisation and security policy related data are vulnerable to return-oriented programming or DMA attacks. By modifying their values from one to another, the whole system's performance will be affected. By discussing current approaches that secure hypervisors, which are not suitable for non-control data, the work is to motivate new innovation in this area to protect them.