Join Hong Hu, assistant professor, for an IST Research Talk titled "Spotting Syscall-Guard Variables for Data-Only Attacks."
As control-flow protection techniques are widely deployed, it is difficult for attackers to modify control data, like function pointers, to hack our computer systems. Instead, the emerging data-only attacks corrupt security-critical non-control data—or critical data—and can bypass all current control-flow protections and revive severe attacks. Previous works have explored various methods to help construct or prevent data-only attacks. However, no solution can automatically identify program-specific critical data.
In this talk, Hu identifies an important category of critical data—syscall-guard variables—and proposes novel solutions to automatically detect such variables in a scalable manner. Syscall-guard variables determine to invoke security-related system calls—syscalls—and altering them will allow attackers to request extra privileges from the operating system. Hu proposes branch force, which intentionally flips every conditional branch during execution and checks whether new security-related syscalls are invoked. If so, one can conduct data-flow analysis to estimate the feasibility to flip such branches through common memory errors.
Hu built a tool, VIPER, to implement these ideas. VIPER successfully detects thirty-four previously unknown syscall-guard variables from thirteen programs. Hu built four new data-only attacks on (1) SQLite—the default database management system (DBMS) on Android, iOS, MacOS, and Windows, and (2) V8—the JavaScript Engine of Google Chrome, Microsoft Edge, Opera, and NodeJS. These attacks allow remote attackers to either execute arbitrary commands or delete arbitrary files. VIPER completes its analysis within five minutes for most programs, showing its practicality for spotting syscall-guard variables. This talk will include live demonstrations to show these attacks.