TY - GEN
T1 - VPS: Excavating high-level C++ constructs from low-level binaries to protect dynamic dispatching
AU - Pawlowski, Andre
AU - van der Veen, Victor
AU - Andriesse, Dennis
AU - van der Kouwe, Erik
AU - Holz, Thorsten
AU - Giuffrida, Cristiano
AU - Bos, Herbert
PY - 2019/12
Y1 - 2019/12
N2 - Polymorphism and inheritance make C++ suitable for writing complex software, but significantly increase the attack surface because the implementation relies on virtual function tables (vtables). These vtables contain function pointers that attackers can potentially hijack and in practice, vtable hijacking is one of the most important attack vector for C++ binaries. In this paper, we present VTable Pointer Separation (vps), a practical binary-level defense against vtable hijacking in C++ applications. Unlike previous binary-level defenses, which rely on unsound static analyses to match classes to virtual callsites, vps achieves a more accurate protection by restricting virtual callsites to validly created objects. More specifically, vps ensures that virtual callsites can only use objects created at valid object construction sites, and only if those objects can reach the callsite. Moreover, vps explicitly prevents false positives (falsely identified virtual callsites) from breaking the binary, an issue existing work does not handle correctly or at all. We evaluate the prototype implementation of vps on a diverse set of complex, real-world applications (MongoDB, MySQL server, Node.js, SPEC CPU2017/CPU2006), showing that our approach protects on average 97.8% of all virtual callsites in SPEC CPU2006 and 97.4% in SPEC CPU2017 (all C++ benchmarks), with a moderate performance overhead of 11% and 9% geomean, respectively. Furthermore, our evaluation reveals 86 false negatives in VTV, a popular source-based defense which is part of GCC.
AB - Polymorphism and inheritance make C++ suitable for writing complex software, but significantly increase the attack surface because the implementation relies on virtual function tables (vtables). These vtables contain function pointers that attackers can potentially hijack and in practice, vtable hijacking is one of the most important attack vector for C++ binaries. In this paper, we present VTable Pointer Separation (vps), a practical binary-level defense against vtable hijacking in C++ applications. Unlike previous binary-level defenses, which rely on unsound static analyses to match classes to virtual callsites, vps achieves a more accurate protection by restricting virtual callsites to validly created objects. More specifically, vps ensures that virtual callsites can only use objects created at valid object construction sites, and only if those objects can reach the callsite. Moreover, vps explicitly prevents false positives (falsely identified virtual callsites) from breaking the binary, an issue existing work does not handle correctly or at all. We evaluate the prototype implementation of vps on a diverse set of complex, real-world applications (MongoDB, MySQL server, Node.js, SPEC CPU2017/CPU2006), showing that our approach protects on average 97.8% of all virtual callsites in SPEC CPU2006 and 97.4% in SPEC CPU2017 (all C++ benchmarks), with a moderate performance overhead of 11% and 9% geomean, respectively. Furthermore, our evaluation reveals 86 false negatives in VTV, a popular source-based defense which is part of GCC.
KW - Binary Analysis
KW - CFI
UR - http://www.scopus.com/inward/record.url?scp=85077813085&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85077813085&partnerID=8YFLogxK
U2 - 10.1145/3359789.3359797
DO - 10.1145/3359789.3359797
M3 - Conference contribution
AN - SCOPUS:85077813085
T3 - ACM International Conference Proceeding Series
SP - 97
EP - 112
BT - ACSAC '19
PB - Association for Computing Machinery
T2 - 35th Annual Computer Security Applications Conference, ACSAC 2019
Y2 - 9 December 2019 through 13 December 2019
ER -