TypeSan: Practical type confusion detection

Istvan Haller; Yuseok Jeon; Hui Peng; Mathias Payer; Cristiano Giuffrida; Herbert Bos; Erik Van Der Kouwe

doi:10.1145/2976749.2978405

TypeSan: Practical type confusion detection

Istvan Haller, Yuseok Jeon, Hui Peng, Mathias Payer, Cristiano Giuffrida, Herbert Bos, Erik Van Der Kouwe

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

Abstract

The low-level C++ programming language is ubiquitously used for its modularity and performance. Typecasting is a fundamental concept in C++ (and object-oriented programming in general) to convert a pointer from one object type into another. However, downcasting (converting a base class pointer to a derived class pointer) has critical security implications due to potentially different object memory layouts. Due to missing type safety in C++, a downcasted pointer can violate a programmer's intended pointer semantics, allowing an attacker to corrupt the underlying memory in a type-unsafe fashion. This vulnerability class is receiving increasing attention and is known as type confusion (or badcasting). Several existing approaches detect different forms of type confusion, but these solutions are severely limited due to both high run-time performance overhead and low detection coverage. This paper presents TypeSan, a practical type-confusion detector which provides both low run-time overhead and high detection coverage. Despite improving the coverage of state-of-the-art techniques, TypeSan significantly reduces the type-confusion detection overhead compared to other solutions. TypeSan relies on an efficient per-object metadata storage service based on a compact memory shadowing scheme. Our scheme treats all the memory objects (i.e., globals, stack, heap) uniformly to eliminate extra checks on the fast path and relies on a variable compression ratio to minimize run-time performance and memory overhead. Our experimental results confirm that TypeSan is practical, even when explicitly checking almost all the relevant typecasts in a given C++ program. Compared to the state of the art, TypeSan yields orders of magnitude higher coverage at 4-10 times lower performance overhead on SPEC and 2 times on Firefox. As a result, our solution offers superior protection and is suitable for deployment in production software. Moreover, our highly efficient metadata storage back-end is potentially useful for other defenses that require memory object tracking.

Original language	English
Title of host publication	CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery (ACM)
Pages	517-528
Number of pages	12
Volume	24-28-October-2016
ISBN (Electronic)	9781450341394
DOIs	https://doi.org/10.1145/2976749.2978405
Publication status	Published - 24 Oct 2016
Event	23rd ACM Conference on Computer and Communications Security, CCS 2016 - Vienna, Austria Duration: 24 Oct 2016 → 28 Oct 2016

Conference

Conference	23rd ACM Conference on Computer and Communications Security, CCS 2016
Country/Territory	Austria
City	Vienna
Period	24/10/16 → 28/10/16

Keywords

Downcasting
Type confusion
Type safety
Typecasting

Access to Document

10.1145/2976749.2978405

https://www.vusec.net/download/?t=papers/typesan_ccs16.pdf

Handle.net

Persistent link

Cite this

@inproceedings{01015713b0054d76891343f0aaa59d0d,

title = "TypeSan: Practical type confusion detection",

abstract = "The low-level C++ programming language is ubiquitously used for its modularity and performance. Typecasting is a fundamental concept in C++ (and object-oriented programming in general) to convert a pointer from one object type into another. However, downcasting (converting a base class pointer to a derived class pointer) has critical security implications due to potentially different object memory layouts. Due to missing type safety in C++, a downcasted pointer can violate a programmer's intended pointer semantics, allowing an attacker to corrupt the underlying memory in a type-unsafe fashion. This vulnerability class is receiving increasing attention and is known as type confusion (or badcasting). Several existing approaches detect different forms of type confusion, but these solutions are severely limited due to both high run-time performance overhead and low detection coverage. This paper presents TypeSan, a practical type-confusion detector which provides both low run-time overhead and high detection coverage. Despite improving the coverage of state-of-the-art techniques, TypeSan significantly reduces the type-confusion detection overhead compared to other solutions. TypeSan relies on an efficient per-object metadata storage service based on a compact memory shadowing scheme. Our scheme treats all the memory objects (i.e., globals, stack, heap) uniformly to eliminate extra checks on the fast path and relies on a variable compression ratio to minimize run-time performance and memory overhead. Our experimental results confirm that TypeSan is practical, even when explicitly checking almost all the relevant typecasts in a given C++ program. Compared to the state of the art, TypeSan yields orders of magnitude higher coverage at 4-10 times lower performance overhead on SPEC and 2 times on Firefox. As a result, our solution offers superior protection and is suitable for deployment in production software. Moreover, our highly efficient metadata storage back-end is potentially useful for other defenses that require memory object tracking.",

keywords = "Downcasting, Type confusion, Type safety, Typecasting",

author = "Istvan Haller and Yuseok Jeon and Hui Peng and Mathias Payer and Cristiano Giuffrida and Herbert Bos and {Van Der Kouwe}, Erik",

year = "2016",

month = oct,

day = "24",

doi = "10.1145/2976749.2978405",

language = "English",

volume = "24-28-October-2016",

pages = "517--528",

booktitle = "CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery (ACM)",

note = "23rd ACM Conference on Computer and Communications Security, CCS 2016 ; Conference date: 24-10-2016 Through 28-10-2016",

}

Haller, I, Jeon, Y, Peng, H, Payer, M, Giuffrida, C , Bos, H & Van Der Kouwe, E 2016, TypeSan: Practical type confusion detection. in CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. vol. 24-28-October-2016, Association for Computing Machinery (ACM), pp. 517-528, 23rd ACM Conference on Computer and Communications Security, CCS 2016, Vienna, Austria, 24/10/16. https://doi.org/10.1145/2976749.2978405

TypeSan : Practical type confusion detection. / Haller, Istvan; Jeon, Yuseok; Peng, Hui et al.

CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Vol. 24-28-October-2016 Association for Computing Machinery (ACM), 2016. p. 517-528.

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - TypeSan

T2 - 23rd ACM Conference on Computer and Communications Security, CCS 2016

AU - Haller, Istvan

AU - Jeon, Yuseok

AU - Peng, Hui

AU - Payer, Mathias

AU - Giuffrida, Cristiano

AU - Bos, Herbert

AU - Van Der Kouwe, Erik

PY - 2016/10/24

Y1 - 2016/10/24

N2 - The low-level C++ programming language is ubiquitously used for its modularity and performance. Typecasting is a fundamental concept in C++ (and object-oriented programming in general) to convert a pointer from one object type into another. However, downcasting (converting a base class pointer to a derived class pointer) has critical security implications due to potentially different object memory layouts. Due to missing type safety in C++, a downcasted pointer can violate a programmer's intended pointer semantics, allowing an attacker to corrupt the underlying memory in a type-unsafe fashion. This vulnerability class is receiving increasing attention and is known as type confusion (or badcasting). Several existing approaches detect different forms of type confusion, but these solutions are severely limited due to both high run-time performance overhead and low detection coverage. This paper presents TypeSan, a practical type-confusion detector which provides both low run-time overhead and high detection coverage. Despite improving the coverage of state-of-the-art techniques, TypeSan significantly reduces the type-confusion detection overhead compared to other solutions. TypeSan relies on an efficient per-object metadata storage service based on a compact memory shadowing scheme. Our scheme treats all the memory objects (i.e., globals, stack, heap) uniformly to eliminate extra checks on the fast path and relies on a variable compression ratio to minimize run-time performance and memory overhead. Our experimental results confirm that TypeSan is practical, even when explicitly checking almost all the relevant typecasts in a given C++ program. Compared to the state of the art, TypeSan yields orders of magnitude higher coverage at 4-10 times lower performance overhead on SPEC and 2 times on Firefox. As a result, our solution offers superior protection and is suitable for deployment in production software. Moreover, our highly efficient metadata storage back-end is potentially useful for other defenses that require memory object tracking.

AB - The low-level C++ programming language is ubiquitously used for its modularity and performance. Typecasting is a fundamental concept in C++ (and object-oriented programming in general) to convert a pointer from one object type into another. However, downcasting (converting a base class pointer to a derived class pointer) has critical security implications due to potentially different object memory layouts. Due to missing type safety in C++, a downcasted pointer can violate a programmer's intended pointer semantics, allowing an attacker to corrupt the underlying memory in a type-unsafe fashion. This vulnerability class is receiving increasing attention and is known as type confusion (or badcasting). Several existing approaches detect different forms of type confusion, but these solutions are severely limited due to both high run-time performance overhead and low detection coverage. This paper presents TypeSan, a practical type-confusion detector which provides both low run-time overhead and high detection coverage. Despite improving the coverage of state-of-the-art techniques, TypeSan significantly reduces the type-confusion detection overhead compared to other solutions. TypeSan relies on an efficient per-object metadata storage service based on a compact memory shadowing scheme. Our scheme treats all the memory objects (i.e., globals, stack, heap) uniformly to eliminate extra checks on the fast path and relies on a variable compression ratio to minimize run-time performance and memory overhead. Our experimental results confirm that TypeSan is practical, even when explicitly checking almost all the relevant typecasts in a given C++ program. Compared to the state of the art, TypeSan yields orders of magnitude higher coverage at 4-10 times lower performance overhead on SPEC and 2 times on Firefox. As a result, our solution offers superior protection and is suitable for deployment in production software. Moreover, our highly efficient metadata storage back-end is potentially useful for other defenses that require memory object tracking.

KW - Downcasting

KW - Type confusion

KW - Type safety

KW - Typecasting

UR - http://www.scopus.com/inward/record.url?scp=84995478585&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84995478585&partnerID=8YFLogxK

U2 - 10.1145/2976749.2978405

DO - 10.1145/2976749.2978405

M3 - Conference contribution

AN - SCOPUS:84995478585

VL - 24-28-October-2016

SP - 517

EP - 528

BT - CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery (ACM)

Y2 - 24 October 2016 through 28 October 2016

ER -

TypeSan: Practical type confusion detection

Abstract

Conference

Keywords

Access to Document

Handle.net

Other files and links

Fingerprint

Cite this