Space Wars: Exploiting Program (in)Variants for Software Security
MetadataShow full item record
The ever-increasing code base of modern software inevitably introduces vulnerabilities which enable attackers to construct sophisticated exploits and compromise our computer systems. Control-flow hijacking is the state-of-the-art exploit method, where attackers aim to take over the execution of the vulnerable program. Accordingly, defenders strive to protect the control-flow integrity to mitigate attacks. As these protections gradually get deployed, it is getting harder for attackers to hijack the control-flow and they may switch to other exploit methods to achieve malicious goals. It is urgent for defenders to understand the remaining attack vectors and develop defenses in advance. In this talk, I will present two works that explore the program data space to provide comprehensive protections as well as detect new and potentially devastating attacks. First, I will demonstrate that program data space provides necessary auxiliary information for achieving complete protection against control-flow attacks. Specifically, only with extra context information, we can get the unique code target for indirect calls and jumps. Second, I will demonstrate that data-oriented attacks, which conform to all control-flow protections, are practical, expressive and can be generated automatically. Attackers can systematically search in the program data space to construct arbitrary, even Turing-complete computations in real-world programs, like browsers. In the end, I will talk about my plan on extending data-oriented attacks to other platforms and languages, and the potential directions to prevent this new type of attacks.