In recent years, non-control-data attacks have be come a research hotspot in the field of network security, drivenby the increasing number of defense methods against control-flowhijacking attacks. These attacks exploit memory vulnerabilitiesto modify non-control data within a program, thereby altering itsbehavior without compromising control-flow integrity. Researchhas shown that non-control-data attacks can be just as damagingas control-flow hijacking attacks and are even Turing complete,making them a serious security threat. However, despite beingdiscovered long ago, the threat of non-control-data attacks hasnot been adequately addressed. In this review, we first classifynon-control-data attacks into two categories based on theirevolution: security-sensitive function attacks and data-orientedprogramming (DOP) attacks. Subsequently, based on the non control-data attack model, we categorize existing defense methodsinto three main strategies: memory safety, data confidentiality,and data integrity protection. We then analyze recent defensetechniques specifically designed for DOP attacks. Finally, weidentify the key challenges hindering the widespread adoptionof defenses against non-control-data attacks and explore futureresearch directions in this field.
View on arXiv@article{chong2025_2503.22765,
title={ Non-control-Data Attacks and Defenses: A review },
author={ Lei Chong },
journal={arXiv preprint arXiv:2503.22765},
year={ 2025 }
}