HexType: Efficient Detection of Type Confusion Errors for C++

Type confusion, often combined with use-after-free, is the main attack vector to compromise modern C++ software like browsers or virtual machines. Typecasting is a core principle that enables modularity in C++. For performance, most typecasts are only checked statically, i.e., the check only tests if a cast is allowed for the given type hierarchy, ignoring the actual runtime type of the object. Using an object of an incompatible base type instead of a derived type results in type confusion. Attackers abuse such type confusion issues to attack popular software products including Adobe Flash, PHP, Google Chrome, or Firefox. We propose to make all type checks explicit, replacing static checks with full runtime type checks. To minimize the performance impact of our mechanism HexType, we develop both low-overhead data structures and compiler optimizations. To maximize detection coverage, we handle specific object allocation patterns, e.g., placement new or reinterpret_cast which are not handled by other mechanisms. Our prototype results show that, compared to prior work, HexType has at least 1.1 -- 6.1 times higher coverage on Firefox benchmarks. For SPEC CPU2006 benchmarks with overhead, we show a 2 -- 33.4 times reduction in overhead. In addition, HexType discovered 4 new type confusion bugs in Qt and Apache Xerces-C++.

[1]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy software , 2005, TOPL.

[2]  Chao Zhang,et al.  VTint: Protecting Virtual Function Tables' Integrity , 2015, NDSS.

[3]  Herbert Bos,et al.  ShrinkWrap: VTable Protection without Loose Ends , 2015, ACSAC 2015.

[4]  Xi Chen,et al.  A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[5]  Trent Jaeger,et al.  Fine-Grained Control-Flow Integrity for Kernel Software , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[6]  Chao Zhang,et al.  VTrust: Regaining Trust on Virtual Calls , 2016, NDSS.

[7]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[8]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[9]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[10]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[11]  Cristiano Giuffrida,et al.  VTPin: practical VTable hijacking protection for binaries , 2016, ACSAC.

[12]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[13]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[14]  Dinakar Dhurjati,et al.  Secure virtual architecture: a safe execution environment for commodity operating systems , 2007, SOSP.

[15]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[16]  Robert O. Hastings,et al.  Fast detection of memory leaks and access errors , 1991 .

[17]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[18]  Wenke Lee,et al.  Type Casting Verification: Stopping an Emerging Attack Vector , 2015, USENIX Security Symposium.

[19]  Vikram S. Adve,et al.  KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels , 2014, 2014 IEEE Symposium on Security and Privacy.

[20]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[21]  Erik van der Kouwe,et al.  TypeSan: Practical Type Confusion Detection , 2016, CCS.

[22]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[23]  Herbert Bos,et al.  Practical Context-Sensitive CFI , 2015, CCS.

[24]  Sorin Lerner,et al.  SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks , 2014, NDSS.