Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks - Citegraph

Paper Info

Title
Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks

Abstract
As control-flow hijacking defenses gain adoption, it is important to understand the remaining capabilities of adversaries via memory exploits. Non-control data exploits are used to mount information leakage attacks or privilege escalation attacks program memory. Compared to control-flow hijacking attacks, such non-control data exploits have limited expressiveness, however, the question is: what is the real expressive power of non-control data attacks? In this paper we show that such attacks are Turing-complete. We present a systematic technique called data-oriented programming (DOP) to construct expressive non-control data exploits for arbitrary x86 programs. In the experimental evaluation using 9 programs, we identified 7518 data-oriented x86 gadgets and 5052 gadget dispatchers, which are the building blocks for DOP. 8 out of 9 real-world programs have gadgets to simulate arbitrary computations and 2 of them are confirmed to be able to build Turing-complete attacks. We build 3 end-to-end attacks to bypass randomization defenses without leaking addresses, to run a network bot which takes commands from the attacker, and to alter the memory permissions. All the attacks work in the presence of ASLR and DEP, demonstrating how the expressiveness offered by DOP significantly empowers the attacker.

Year	DOI	Venue
2016	10.1109/SP.2016.62	2016 IEEE Symposium on Security and Privacy (SP)
Keywords	Field	DocType
data-oriented programming,noncontrol data attack,control-flow hijacking defense,memory exploit,information leakage attack,privilege escalation attack,program memory,control-flow hijacking attack,noncontrol data exploit,Turing-complete attack,x86 programs,data-oriented x86 gadgets,gadget dispatchers,end-to-end attacks,randomization defense,memory permission,ASLR,DEP	x86,Information leakage,Computer security,Computer science,Gadget,Privilege escalation,Server,Exploit,Payload,Expressivity	Conference
ISSN	ISBN	Citations
1081-6011	978-1-5090-0825-4	47
PageRank	References	Authors
1.05	29	6

Authors (6 rows)

Cited by (47 rows)

References (29 rows)

Name	Order	Citations	PageRank
Hong Hu	1	93	6.07
Shweta Shinde	2	173	9.15
Sendroiu Adrian	3	47	1.05
Zheng Leong Chua	4	160	7.27
Prateek Saxena	5	1915	97.73
Zhenkai Liang	6	1486	81.00

1