VTPin: Practical VTable hijacking protection for binaries

Pawel Sarbinowski, Vasileios P. Kemerlis, Cristiano Giuffrida, Ilias Athanasopoulos

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

VTable hijacking has lately been promoted to the de facto technique for exploiting C++ applications, and in particular web browsers. VTables, however, can be manipulated without necessarily corrupting memory, simply by leveraging use-after-free bugs. In fact, in the recent Pwn2Own competitions all major web browsers were compromised with exploits that employed (among others) use-afterfree vulnerabilities and VTable hijacking. In this paper, we propose VTPin: a system to protect against VTable hijacking, via use-after-free vulnerabilities, in large C++ binaries that cannot be re-compiled or re-written. The main idea behind VTPin is to pin all the freed VTable pointers on a safe VTable under VTPin's control. Specifically, for every object deallocation, VTPin deallocates all space allocated, but preserves and updates the VTable pointer with the address of the safe VTable. Hence, any dereferenced dangling pointer can only invoke a method provided by VTPin's safe object. Subsequently, all virtual-method calls due to dangling pointers are not simply neutralized, but they can be logged, tracked, and patched. Compared to other solutions that defend against VTable hijacking, VTPin exhibits certain characteristics that make it suitable for practical and instant deployment in production software. First, VTPin protects binaries, directly and transparently, without requiring source compilation or binary rewriting. Second, VTPin is not an allocator replacement, and thus it does not interfere with the allocation strategies and policies of the protected program; it intervenes in the deallocation process only when a virtual object is to be freed for preserving the VTable pointer. Third, VTPin is fast; Mozilla Firefox, protected with VTPin, experiences an average overhead of 1%-4.1% when running popular browser benchmarks.

Original languageEnglish
Title of host publicationProceedings - 32nd Annual Computer Security Applications Conference, ACSAC 2016
PublisherAssociation for Computing Machinery (ACM)
Pages448-459
Number of pages12
Volume5-9-December-2016
ISBN (Electronic)9781450347716
DOIs
Publication statusPublished - 5 Dec 2016
Event32nd Annual Computer Security Applications Conference, ACSAC 2016 - Los Angeles, United States
Duration: 5 Dec 20169 Dec 2016

Conference

Conference32nd Annual Computer Security Applications Conference, ACSAC 2016
CountryUnited States
CityLos Angeles
Period5/12/169/12/16

Keywords

  • Control-flow hijacking
  • Use-after-free
  • VTable protection

Fingerprint

Dive into the research topics of 'VTPin: Practical VTable hijacking protection for binaries'. Together they form a unique fingerprint.

Cite this