SECDINT: Preventing Data-oriented Attacks via Intel SGX Escorted Data Integrity

Data-oriented attacks with the intent to corrupt critical memory data without violating Control-flow Integrity (CFI) pose significant threats to legitimate program execution. Existing mitigations predominantly rely on software-based memory safety measures to ensure critical data integrity, a solution often associated with elevated performance overhead and susceptibility to intricate attack techniques. In this paper, we present a CPU level data integrity design, named Intel SGX Escorted Data Integrity (SECDINT), to automatically protect sensitive variables against data-oriented attacks. Our design can achieve the data integrity of sensitive variables via SGX enforced isolation in binaries. We evaluate SECDINT on real-world applications. The results reveal that SECDINT can effectively identify sensitive variables, enforce data integrity, and prevent data-oriented attacks. Comparative analysis with existing software-based strategies (e.g., 103% run-time overhead in Data-flow Integrity, 116% in SoftBound with CETS), showcased SECDINT's remarkable capability in drastically reducing overhead to as low as 20.1%.