| Popis: |
Non-control-data attacks are those attacks that purely target and modify the non-control data of a program, such as boolean values, user input or configuration parameters, and leave the control flow of a program untouched. These attacks were considered a niche due to the high difficulty in crafting attacks that do not modify the control flow. However, in recent years researchers have already demonstrated that non-control-data attacks can be automatically constructed and that they pose a significant threat because they can compromise critical and widely used software, such as web browsers and the Linux kernel. Moreover, they can also be used to disable or bypass state-of-the-art software security techniques, such as control-flow integrity. The most promising technique to protect against non-control-data attacks is data-flow integrity, however, modern compilers do not implement this protection yet. In this work we present an optimized data-flow integrity implementation for modern compilers that reduces the amount of basic blocks that need to be protected in an average of 45.8%, it also has broader security guarantees due to its more precise static analysis. Finally, we evaluate the completeness of our optimized data-flow integrity implementation. |
