Advertisement

Data Is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome Non-Control-Data Attacks

  • Irene Díez-FrancoEmail author
  • Igor Santos
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 527)

Abstract

Security researchers have been focusing on developing mitigation and protection mechanisms against code-injection and code-reuse attacks. Modern defences focus on protecting the legitimate control-flow of a program, nevertheless they cannot withstand a more subtle type of attack, non-control-data attacks, since they follow the legitimate control flow, and thus leave no trace. Data-Flow Integrity (DFI) is a defence mechanism which aims to protect programs against non-control-data attacks. DFI uses static analysis to compute the data-flow graph of a program, and then, enforce at runtime that the data-flow of the program follows the legitimate path; otherwise the execution is aborted.

In this paper, we review the state of the techniques to generate non-control-data attacks and present the state of DFI methods.

Keywords

Data-flow integrity Non-control-data attacks Operating system security 

References

  1. 1.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity: principles, implementations and applications. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (2005)Google Scholar
  2. 2.
    Aho, A.V., Lam, M.S., Sethi, R., Ullman, J.D.: Compilers: Principles, Techniques, and Tools. Addison-Wesley, Reading (2006)zbMATHGoogle Scholar
  3. 3.
    Andersen, S., Abella, V.: Data Execution Prevention. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies (2004)Google Scholar
  4. 4.
    Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (2011)Google Scholar
  5. 5.
    Bosman, E., Bos, H.: Framing signals-a return to portable shellcode. In: Proceedings of the IEEE Symposium on Security and Privacy (Oakland) (2014)Google Scholar
  6. 6.
    Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2006)Google Scholar
  7. 7.
    Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (2010)Google Scholar
  8. 8.
    Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: Proceedings of the USENIX Security Symposium (2005)Google Scholar
  9. 9.
    Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the USENIX Security Symposium (1998)Google Scholar
  10. 10.
    Criswell, J., Dautenhahn, N., Adve, V.: KCoFI: Complete control-flow integrity for commodity operating system kernels. In: Proceedings of the IEEE Symposium on Security and Privacy (Oakland) (2014)Google Scholar
  11. 11.
    Giuffrida, C., Kuijsten, A., Tanenbaum, A.S.: Enhanced operating system security through efficient and fine-grained address space randomization. In: Proceedings of the USENIX Security Symposium (2012)Google Scholar
  12. 12.
    Hu, H., Chua, Z.L., Adrian, S., Saxena, P., Liang, Z.: Automatic generation of data-oriented exploits. In: Proceedings of the USENIX Security Symposium (2015)Google Scholar
  13. 13.
    Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: on the expressiveness of non-control data attacks. In: Proceedings of the IEEE Symposium on Security and Privacy (Oakland) (2016)Google Scholar
  14. 14.
    Kiriansky, V., Bruening, D., Amarasinghe, S.P., et al.: Secure execution via program shepherding. In: Proceedings of the USENIX Security Symposium (2002)Google Scholar
  15. 15.
    Nergal: The advanced return-into-lib(c) exploits: Pax case study. Phrack Magazine 58 (2001)Google Scholar
  16. 16.
    Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proceedings of the IEEE Symposium on Security and Privacy (Oakland) (2010)Google Scholar
  17. 17.
    Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (2007)Google Scholar
  18. 18.
    Song, C., Lee, B., Lu, K., Harris, W., Kim, T., Lee, W.: Enforcing kernel security invariants with data flow integrity. In: Annual Network and Distributed System Security Symposium (NDSS) (2016)Google Scholar
  19. 19.
    Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) (2004)Google Scholar
  20. 20.
    PaX Team: Address space layout randomization (ASLR) (2003). http://pax.grsecurity.net/docs/aslr.txt
  21. 21.
    US-CERT: OpenSSL ‘Heartbleed’ vulnerability (CVE-2014-0160) (2014). https://www.us-cert.gov/ncas/alerts/TA14-098A

Copyright information

© Springer International Publishing AG 2017

Open Access This chapter is licensed under the terms of the Creative Commons Attribution-NonCommercial 2.5 International License (http://creativecommons.org/licenses/by-nc/2.5/), which permits any noncommercial use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Authors and Affiliations

  1. 1.DeustoTechUniversity of DeustoBilbaoSpain

Personalised recommendations