With the development of research on noncontrol data attacks and defense, the threat of data-oriented programming (DOP) attacks has attracted increasing attention from the security research community. DOP attacks can… Click to show full abstract
With the development of research on noncontrol data attacks and defense, the threat of data-oriented programming (DOP) attacks has attracted increasing attention from the security research community. DOP attacks can manipulate security-critical noncontrol data to alter program behavior without violating control-flow integrity (CFI) and can circumvent the most effective defenses against control-data attacks. Among DOP attacks, the misuse of user input data is a major contributor. Moreover, existing defense methods, e.g., DOPdefender, currently lack security protection for user input data. To effectively defend against DOP attacks, we propose a novel technique, DOPdefenderPlus, which draws on the idea of divide-and-conquer and uses the modular authentication technique to make DOPdefender scalable for complex software that is designed modularly, as well as introduce the Inputguard technique to protect the program input data. The DOPdefenderPlus is an enhanced version of DOPdefender, which overcomes some limitations of DOPdefender. We implement DOPdefenderPlus on a Linux operating system and use it to defend against multiple realistic DOP attacks. We also evaluate the performance of our method, and all the results show that DOPdefenderPlus can overcome the two limitations of DOPdefender while introducing a moderate runtime overhead.
               
Click one of the above tabs to view related content.