As control-flow protection techniques are widely deployed,
it is difficult for attackers to modify control data, like function
pointers, to hijack program control flow. Instead, data-only attacks corrupt security-critical non-control data (critical data),
and can bypass all control-flow protections to revive severe attacks. Previous works have explored various methods to help
construct or prevent data-only attacks. However, no solution
can automatically detect program-specific critical data.
In this paper, we identify an important category of critical
data, syscall-guard variables, and propose a set of solutions
to automatically detect such variables in a scalable manner.
Syscall-guard variables determine to invoke security-related
system calls (syscalls), and altering them will allow attackers
to request extra privileges from the operating system. We
propose branch force, which intentionally flips every conditional branch during the execution and checks whether new
security-related syscalls are invoked. If so, we conduct dataflow analysis to estimate the feasibility to flip such branches
through common memory errors. We build a tool, VIPER, to
implement our ideas. VIPER successfully detects 34 previously unknown syscall-guard variables from 13 programs.
We build four new data-only attacks on sqlite and v8, which
execute arbitrary command or delete arbitrary file. VIPER
completes its analysis within five minutes for most programs,
showing its practicality for spotting syscall-guard variables.
Deep Packet Inspection (DPI) systems are essential for securing modern networks (e.g., blocking or logging abnormal network con- nections).
However, DPI systems are known to be vulnerable in their implementations, which could be exploited for evasion attacks.
Due to the critical role DPI systems play, many efforts have been made to detect vulnerabilities in the DPI systems through manual inspection,
symbolic execution, and fuzzing, which suffer from either poor scalability, path explosion, or inappropriate feedback.
In this paper, based on our observation that a DPI system usually reaches an abnormal internal state before a forbidden packet passes through it,
we propose a fuzzing framework that prioritizes inputs/mutations which could trigger the DPI system’s abnormal internal states.
Further, to avoid deep understanding of the DPI systems under inspection (e.g., to identify the abnormal states),
we feed one pair of inputs to multiple DPI systems and check whether the state changes of these DPI systems are consistent — an inconsistent
internal state change/transference in one of the DPI systems indicates a new abnormal state is reached in the corresponding DPI system.
Naturally, inputs that trigger new abnormal states are preferentially selected for mutations to generate new inputs. Following this idea, we develop StateDiver,
the first fuzzing framework that uses the state discrepancy between different DPI systems as feedback to find more bypassing strategies.
We make StateDiver publicly available online. With the help of StateDiver, we tested 3 famous open-source DPI systems (Snort, Snort++, and Suricata)
and discovered 16 bypass strategies (8 new and 8 previously known). We have reported all the vulnerabilities to the vendors and received one
CVE by the time of paper writing. We also compared State- Diver with Geneva, the state-of-the-art fuzzing tool for detecting DPI bugs.
Results showed that StateDiver outperformed Geneva at the number and speed of finding vulnerabilities, indicating the ability of StateDiver
to detect strategies bypassing DPI systems effectively.