One Flip is All It Takes: Identifying Syscall-Guard Variables for Data-Only Attacks

Data-only attacks target non-control data but can achieve similar malicious goals as control flow hijacking attacks with simpler execution

The researchers identified “syscall guard variables” as critical data that can be manipulated to trigger security-related system calls

Viper framework was developed to automatically identify syscall guard variables through:

• Branch force analysis
• Dataflow analysis
• Dynamic execution monitoring

36 syscall guard variables were identified across 14 programs:

• 15 related to file deletion/overwriting
• 10 related to code execution
• Others related to permission changes

Successful proof-of-concept attacks were demonstrated on:

• SQLite database
• V8 JavaScript engine
• Web servers using CGI-bin manipulation

Global variables and stack variables with long lifespans were found to be more vulnerable targets

Analysis can be completed within 5 minutes for most programs, though larger ones like V8 take around 30 minutes

Memory write primitives are needed to corrupt target variables, often leveraging existing CVEs

Unlike control flow hijacking, data-only attacks can bypass common protections like ASLR and control flow integrity

Data-only attacks are currently less common than control flow attacks primarily due to difficulty in identifying critical data targets