Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks

Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, Zhenkai Liang

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    119 Scopus citations

    Abstract

    As control-flow hijacking defenses gain adoption, it is important to understand the remaining capabilities of adversaries via memory exploits. Non-control data exploits are used to mount information leakage attacks or privilege escalation attacks program memory. Compared to control-flow hijacking attacks, such non-control data exploits have limited expressiveness, however, the question is: what is the real expressive power of non-control data attacks? In this paper we show that such attacks are Turing-complete. We present a systematic technique called data-oriented programming (DOP) to construct expressive non-control data exploits for arbitrary x86 programs. In the experimental evaluation using 9 programs, we identified 7518 data-oriented x86 gadgets and 5052 gadget dispatchers, which are the building blocks for DOP. 8 out of 9 real-world programs have gadgets to simulate arbitrary computations and 2 of them are confirmed to be able to build Turing-complete attacks. We build 3 end-to-end attacks to bypass randomization defenses without leaking addresses, to run a network bot which takes commands from the attacker, and to alter the memory permissions. All the attacks work in the presence of ASLR and DEP, demonstrating how the expressiveness offered by DOP significantly empowers the attacker.

    Original languageEnglish (US)
    Title of host publicationProceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016
    PublisherInstitute of Electrical and Electronics Engineers Inc.
    Pages969-986
    Number of pages18
    ISBN (Electronic)9781509008247
    DOIs
    StatePublished - Aug 16 2016
    Event2016 IEEE Symposium on Security and Privacy, SP 2016 - San Jose, United States
    Duration: May 23 2016May 25 2016

    Publication series

    NameProceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016

    Other

    Other2016 IEEE Symposium on Security and Privacy, SP 2016
    CountryUnited States
    CitySan Jose
    Period5/23/165/25/16

    All Science Journal Classification (ASJC) codes

    • Safety, Risk, Reliability and Quality
    • Computer Networks and Communications
    • Software

    Fingerprint Dive into the research topics of 'Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks'. Together they form a unique fingerprint.

    Cite this