Abstract
Polymorphism and inheritance make C++ suitable for writing complex software, but significantly increase the attack surface because the implementation relies on virtual function tables (vtables). These vtables contain function pointers that attackers can potentially hijack and in practice, vtable hijacking is one of the most important attack vector for C++ binaries. In this paper, we present VTable Pointer Separation (vps), a practical binary-level defense against vtable hijacking in C++ applications. Unlike previous binary-level defenses, which rely on unsound static analyses to match classes to virtual callsites, vps achieves a more accurate protection by restricting virtual callsites to validly created objects. More specifically, vps ensures that virtual callsites can only use objects created at valid object construction sites, and only if those objects can reach the callsite. Moreover, vps explicitly prevents false positives (falsely identified virtual callsites) from breaking the binary, an issue existing work does not handle correctly or at all. We evaluate the prototype implementation of vps on a diverse set of complex, real-world applications (MongoDB, MySQL server, Node.js, SPEC CPU2017/CPU2006), showing that our approach protects on average 97.8% of all virtual callsites in SPEC CPU2006 and 97.4% in SPEC CPU2017 (all C++ benchmarks), with a moderate performance overhead of 11% and 9% geomean, respectively. Furthermore, our evaluation reveals 86 false negatives in VTV, a popular source-based defense which is part of GCC.
Original language | English |
---|---|
Title of host publication | ACSAC '19 |
Subtitle of host publication | Proceedings of the 35th Annual Computer Security Applications ConferenceDecember 2019 |
Publisher | Association for Computing Machinery |
Pages | 97-112 |
Number of pages | 16 |
ISBN (Electronic) | 9781450376280 |
DOIs | |
Publication status | Published - Dec 2019 |
Event | 35th Annual Computer Security Applications Conference, ACSAC 2019 - San Juan, United States Duration: 9 Dec 2019 → 13 Dec 2019 |
Publication series
Name | ACM International Conference Proceeding Series |
---|
Conference
Conference | 35th Annual Computer Security Applications Conference, ACSAC 2019 |
---|---|
Country/Territory | United States |
City | San Juan |
Period | 9/12/19 → 13/12/19 |
Funding
This work was supported by the German Research Foundation (DFG) within the framework of the Excellence Strategy of the Federal Government and the States – EXC 2092 CaSa – 39078197, by the United States Office of Naval Research under contracts N00014-17-1-2782 and N00014-17-S-B010 “BinRec”, and by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 786669 (ReAct), No. 825377 (UNICORE), and No. 640110 (BASTION). Any opinions, findings, and conclusions or recommendations expressed in this paper are those of the authors and do not necessarily reflect the views of any of the sponsors or any of their affiliates.
Keywords
- Binary Analysis
- CFI