HardScope: Thwarting DOP with Hardware-assisted Run-time Scope Enforcement

Widespread use of memory unsafe programming languages (e.g., C and C++) leaves many systems vulnerable to memory corruption attacks. A variety of defenses have been proposed to mitigate attacks that exploit memory errors to hijack the control flow of the code at run-time, e.g., (fine-grained) randomization or Control Flow Integrity. However, recent work on data-oriented programming (DOP) demonstrated highly expressive (Turing-complete) attacks, even in the presence of these state-of-the-art defenses. Although multiple real-world DOP attacks have been demonstrated, no efficient defenses are yet available. We propose run-time scope enforcement (RSE), a novel approach designed to efficiently mitigate all currently known DOP attacks by enforcing compile-time memory safety constraints (e.g., variable visibility rules) at run-time. We present HardScope, a proof-of-concept implementation of hardware-assisted RSE for the new RISC-V open instruction set architecture. We discuss our systematic empirical evaluation of HardScope which demonstrates that it can mitigate all currently known DOP attacks, and has a real-world performance overhead of 3.2% in embedded benchmarks

HardScope : Run-time variable scope enforcement as a defense against data-oriented programming attacks

Memory errors exist in software written in memory-unsafe languages like C. They introduce severe vulnerabilities in software. Vulnerabilities may even be exploited by attackers over the Internet and sometimes they can be used to gain complete control of computer systems. Exploitation of memory errors is usually not trivial, but requires building an attack that corrupts the memory carefully to achieve the attacker’s goal. Multiple defenses against memory attacks exist and modern systems have complete defenses in place against certain attack classes. All defenses cannot be applied to all systems, and they do not protect against all possible attacks. Data-Oriented Programming (DOP) attacks are a new class of attacks that utilize the target program’s existing code to perform malicious operations. DOP differs from other attacks like Return-Oriented Programming (ROP) by avoiding control-flow violations, making it impossible to prevent with control-flow defenses. We analyze existing DOP attacks and determine that their expressiveness in real-world programs requires violating C variable visibility rules. We introduce Run-time Scope Enforcement (RSE), a defense that enforces variable visibility rules at run time. In this thesis, we introduce HardScope, our hardware-assisted implementation of RSE. HardScope has an instrumentation engine that instruments C programs with code that maintains variable visibility rules during execution. The run-time platform is based on RISC-V and consists of instruction set extensions and new processor logic that performs the enforcement. Evaluation shows that HardScope has low performance overhead and that it defends against existing DOP attacks