Towards automated integrity protection of C++ virtual function tables in binary programs

Web browsers are one of the most used, complex, and popular software systems nowadays. They are prone to dangling pointers that result in use-after-free vulnerabilites and this is the de-facto way to exploit them. From a technical point of view, an attacker uses a technique called vtable hijacking to exploit such bugs. More specifically, she crafts bogus virtual tables and lets a freed C++ object point to it in order to gain control over the program at virtual function call sites. In this paper, we present a novel approach towards mitigating and detecting such attacks against C++ binary code. We propose a static binary analysis technique to extract virtual function call site information in an automated way. Leveraging this information, we instrument the given binary executable and add runtime policy enforcements to thwart the illegal usage of these call sites. We implemented the proposed techniques in a prototype called T-VIP and successfully hardened three versions of Microsoft's Internet Explorer and Mozilla Firefox. An evaluation with several zero-day exploits demonstrates that our method prevents all of them. Performance benchmarks both on micro and macro level indicate that the overhead is reasonable with about 2.2%, which is only slightly higher compared to recent compiler-based approaches that address this problem.

[1]  Charlie Miller,et al.  Engineering Heap Overflow Exploits with JavaScript , 2008, WOOT.

[2]  Lorenzo Martignoni,et al.  Surgically Returning to Randomized lib(c) , 2009, 2009 Annual Computer Security Applications Conference.

[3]  Gregory R. Andrews,et al.  Disassembly of executable code revisited , 2002, Ninth Working Conference on Reverse Engineering, 2002. Proceedings..

[4]  Periklis Akritidis,et al.  Cling: A Memory Allocator to Mitigate Dangling Pointers , 2010, USENIX Security Symposium.

[5]  Thomas Dullien,et al.  REIL: A platform-independent intermediate representation of disassembled code for static code analysis , 2009 .

[6]  D. Quinlan,et al.  ROSE: Compiler Support for Object-Oriented Frameworks , 1999, Parallel Process. Lett..

[7]  David Brumley,et al.  BAP: A Binary Analysis Platform , 2011, CAV.

[8]  Priya Narasimhan,et al.  Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis , 2014, PPREW'14.

[9]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[10]  Emery D. Berger,et al.  DieHarder: securing the heap , 2010, CCS '10.

[11]  Daniel J. Quinlan ROSE: Compiler Support for Object-Oriented Frameworks , 2000, Parallel Process. Lett..

[12]  Karel Driesen,et al.  The direct cost of virtual function calls in C++ , 1996, OOPSLA '96.

[13]  Juan Caballero,et al.  Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities , 2012, ISSTA 2012.

[14]  David S. Wise,et al.  One-bit counts between unique and sticky , 1998, ISMM '98.

[15]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[16]  Josep Silva,et al.  A vocabulary of program slicing-based techniques , 2012, CSUR.

[17]  Cristiano Giuffrida,et al.  Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization , 2012, USENIX Security Symposium.

[18]  R. Sekar,et al.  Eternal War in Memory , 2014, IEEE Security & Privacy.

[19]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[20]  C. R. Henson Conclusion , 1969 .

[21]  Emery D. Berger,et al.  DieHard: probabilistic memory safety for unsafe languages , 2006, PLDI '06.

[22]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[23]  Erez Petrank,et al.  An on-the-fly reference counting garbage collector for Java , 2001, OOPSLA '01.

[24]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[25]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[26]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[27]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[28]  Mark Harman,et al.  A survey of empirical results on program slicing , 2004, Adv. Comput..

[29]  Kevin W. Hamlen,et al.  Binary stirring: self-randomizing instruction addresses of legacy x86 binary code , 2012, CCS.

[30]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[31]  Evelyn Duesterwald,et al.  Design and implementation of a dynamic optimization framework for windows , 2000 .

[32]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[33]  Mark Harman,et al.  Amorphous program slicing , 1997, Proceedings Fifth International Workshop on Program Comprehension. IWPC'97.

[34]  David H. Ackley,et al.  Randomized instruction set emulation , 2005, TSEC.

[35]  Sorin Lerner,et al.  SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks , 2014, NDSS.

[36]  Amitabh Srivastava,et al.  Vulcan Binary transformation in a distributed environment , 2001 .

[37]  Angelos D. Keromytis,et al.  Retrofitting Security in COTS Software with Binary Rewriting , 2011, SEC.

[38]  Peng Ning,et al.  Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[39]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[40]  Vasanth Bala,et al.  Dynamo: a transparent dynamic optimization system , 2000, SIGP.