TypeSan: Practical Type Confusion Detection

The low-level C++ programming language is ubiquitously used for its modularity and performance. Typecasting is a fundamental concept in C++ (and object-oriented programming in general) to convert a pointer from one object type into another. However, downcasting (converting a base class pointer to a derived class pointer) has critical security implications due to potentially different object memory layouts. Due to missing type safety in C++, a downcasted pointer can violate a programmer's intended pointer semantics, allowing an attacker to corrupt the underlying memory in a type-unsafe fashion. This vulnerability class is receiving increasing attention and is known as type confusion (or bad-casting). Several existing approaches detect different forms of type confusion, but these solutions are severely limited due to both high run-time performance overhead and low detection coverage. This paper presents TypeSan, a practical type-confusion detector which provides both low run-time overhead and high detection coverage. Despite improving the coverage of state-of-the-art techniques, TypeSan significantly reduces the type-confusion detection overhead compared to other solutions. TypeSan relies on an efficient per-object metadata storage service based on a compact memory shadowing scheme. Our scheme treats all the memory objects (i.e., globals, stack, heap) uniformly to eliminate extra checks on the fast path and relies on a variable compression ratio to minimize run-time performance and memory overhead. Our experimental results confirm that TypeSan is practical, even when explicitly checking almost all the relevant typecasts in a given C++ program. Compared to the state of the art, TypeSan yields orders of magnitude higher coverage at 4--10 times lower performance overhead on SPEC and 2 times on Firefox. As a result, our solution offers superior protection and is suitable for deployment in production software. Moreover, our highly efficient metadata storage back-end is potentially useful for other defenses that require memory object tracking.

[1]  Sorin Lerner,et al.  Protecting C++ Dynamic Dispatch Through VTable Interleaving , 2016, NDSS.

[2]  Herbert Bos,et al.  Undermining Information Hiding (and What to Do about It) , 2016, USENIX Security Symposium.

[3]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[4]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[5]  John L. Henning SPEC CPU2006 benchmark descriptions , 2006, CARN.

[6]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[7]  Herbert Bos,et al.  ShrinkWrap: VTable Protection without Loose Ends , 2015, ACSAC 2015.

[8]  Matthias Hauswirth,et al.  Producing wrong data without doing anything obviously wrong! , 2009, ASPLOS.

[9]  Wenke Lee,et al.  Type Casting Verification: Stopping an Emerging Attack Vector , 2015, USENIX Security Symposium.

[10]  References , 1971 .

[11]  George Candea,et al.  High System-Code Security with Low Overhead , 2015, 2015 IEEE Symposium on Security and Privacy.

[12]  Herbert Bos,et al.  Poking Holes in Information Hiding , 2016, USENIX Security Symposium.

[13]  Erik van der Kouwe,et al.  METAlloc: efficient and comprehensive metadata management for software security hardening , 2016, EuroSec '16.

[14]  Jonathon T. Giffin,et al.  Static detection of C++ vtable escape vulnerabilities in binary code , 2012, NDSS.

[15]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[16]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[17]  Herbert Bos,et al.  Practical Context-Sensitive CFI , 2015, CCS.

[18]  Chao Zhang,et al.  VTrust: Regaining Trust on Virtual Calls , 2016, NDSS.

[19]  Xi Chen,et al.  A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level , 2016, 2016 IEEE Symposium on Security and Privacy (SP).