As cyber attackers are always exploring novel, low-cost hacking vectors to bypass current defenses, security researchers should examine the remaining threats comprehensively in order to develop effective defenses in advance. Within program memory, attackers are shifting their attentions from control hijacking to more stealthy, pure data manipulation: they aim to modify security-critical variables to bypass security checks, like authentication and authorization. Researchers must understand which variables determine application security before developing efficient defenses to prevent so-called data-only attacks. This project proposes three thrusts to comprehensively understand the practicality of automatically constructing data-only attacks. First, Thrust 1 includes a set of novel techniques aiming to automatically identify security-critical, non-control data from general-purpose programs. Thrust 1 will focus on conditional branches that prevent untrusted users from accessing high-privilege resources. The result will help defenders understand whether security-critical variables can be identified automatically. Second, Thrust 2 will develop solutions to measure the challenges of constructing concrete data-only attacks. The goal is to estimate the upper-bound cost of building attacks. The results of this thrust will help understand the practicality of this new threat. Third, Thrust 3 will build a benchmark of data-only attacks to offer a unified platform for testing future data-only attacks and defenses. This project will produce a set of tools for identifying security-critical variables and assessing variable criticalness, and provide a platform for developing new defenses against data-only attacks.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.