Identifying Non-Control Security-Critical Data in Program Binaries with a Deep Neural Model

As control-flow protection methods get widely deployed it is difficult for attackers to corrupt control data to build attacks. Instead, data-oriented exploits, which modify non-control data for malicious goals, have been demonstrated to be possible and powerful. To defend against data-oriented exploits, the first fundamental step is to identify non-control, security-critical data. However, previous works mainly rely on tedious human efforts to identify critical data, which cannot handle large applications nor easily port to new programs. In this work, we investigate the application of deep learning to critical data identification. This work provides non-intuitive understanding about (a) why straightforward ways of applying deep learning would fail, and (b) how deep learning should be applied in identifying critical data. Based on our insights, we have discovered a non-intuitive method which combines Tree-LSTM models and a novel structure of data-flow tree to effectively identify critical data from execution traces. The evaluation results show that our method can achieve 87.47% accuracy and a F1 score of 0.9123, which significantly outperforms the baselines. To the best of our knowledge, this is the first work using a deep neural model to identify critical data in program binaries.