It is critical to defend software systems against memory-tampering attacks that can steal sensitive data, escalate privilege, or even execute arbitrary code on a remote system. However, most existing defense mechanisms have focused only on control-data attacks (e.g., control- hijacking), but cannot defend data-only attacks such as Heartbleed, which only tamper with the program's data flow. Data-only attacks will become common once control-flow defenses such as control-flow integrity are widely deployed. This project will investigate new, principled solutions to data-only attacks with acceptable overhead for deployment in practice.
The technical aims of the project are divided into two thrusts. The first thrust develops a novel compiler analysis and a runtime approach for ensuring cross-origin data flow integrity (X-DFI), which can effectively defend real-world attacks that infect the victim system through one or more ingress points, e.g., a function that reads external data or an event handler for events controlled by attackers. By modeling each of these ingress points as a separate origin, X-DFI can prevent attacks from malicious origins from accessing data belonging to innocent origins through exploiting memory vulnerabilities such as buffer overflows or dangling pointers. The second thrust develops pointer-arithmetic integrity (PAI), which can further reduce the runtime overhead and to also deal with attacks within the same origin through ensuring the safety of pointer arithmetics in memory unsafe languages such as C/C++. Ensuring PAI is lightweight since pointers that involve arithmetics typically account for only a small fraction of all pointers in the program. Through automated compiler and lightweight runtime techniques to enforce X-DFI and PAI together, the project aims to secure large complex software against data-only attacks without requiring any change to the source code, with no false positives, and with minimal performance overhead.
This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.