Feedback control can make data structure layout randomization more cost-effective under zero-day attacks

作     者：Ping Chen Zhisheng Hu Jun Xu Minghui Zhu Peng Liu 

作者机构：College of Information Sciences and TechnologyThe Pennsylvania State UniversityUniversity Park 16802PAUSA The School of Electrical Engineering and Computer ScienceThe Pennsylvania State UniversityState CollegeUniversity Park 16801PAUSA 

出 版 物：《Cybersecurity》 (网络空间安全科学与技术（英文）)

年 卷 期：2018年第1卷第1期

页      面：93-105页

核心收录：

学科分类：1304[艺术学-美术学] 13[艺术学] 08[工学] 0804[工学-仪器科学与技术] 0802[工学-机械工程] 

基　　金：supported by ARO W911NF-13-1-0421(MURI) NSF CNS-1422594 NSF CNS-1505664 

主　　题：Data structure manipulation attack Data structure layout randomization Adaptive security Feedback control 

摘      要：In the wake of the research community gaining deep understanding about control-hijacking attacks,data-oriented attacks have *** data-oriented attacks,data structure manipulation attack(DSMA)is a major *** research was conducted and shows that DSMA is able to circumvent the most effective defenses against control-hijacking attacks-DEP,ASLR and *** to this day,only two defense techniques have demonstrated their effectiveness:Data Flow Integrity(DFI)and Data Structure Layout Randomization(DSLR).However,DFI has high performance overhead,and dynamic DSLR has two main limitations.L-1:Randomizing a large set of data structures will significantly affect the performance.L-2:To be practical,only a fixed sub-set of data structures are *** the case that the data structures targeted by an attack are not covered,dynamic DSLR is essentially *** address these two limitations,we propose a novel technique,feedback-control-based adaptive DSLR and build a system named *** seeks to optimize the trade-off between security and cost through feedback *** a novel feedback-control-based adaptive algorithm extended from the Upper Confidence Bound(UCB)algorithm,the defender(controller)uses the feedbacks(cost-effectiveness)from previous randomization cycles to adaptively choose the set of data structures to randomize(the next action).Different from dynamic DSLR,the set of randomized data structures are adaptively changed based on the *** obtain the feedbacks,SALADSPlus inserts canary in each data structure at the time of *** have implemented SALADSPlus based on *** results show that the runtime overheads are 1.8%,3.7%,and 5.3% when the randomization cycles are selected as 10s,5s,and 1s respectively.