Type casting verification: Stopping an emerging attack vector

Proceedings of the 24th USENIX Security Symposium

Volumn , Issue , 2015, Pages 81-96

  Lee, Byoungyoung ^a   Song, Chengyu ^a   Kim, Taesoo ^a   Lee, Wenke ^a  

^a Georgia Institute of Technology   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

BENCHMARKING; OPEN SOURCE SOFTWARE; SECURITY OF DATA; SEMANTICS;

DETECTION COVERAGE; DETECTION PROBLEMS; MEMORY CORRUPTION; PROGRAM INSTRUMENTATIONS; SECURITY COMMUNITY; SECURITY IMPLICATIONS; SECURITY VULNERABILITIES; TARGET APPLICATION;

C++ (PROGRAMMING LANGUAGE);

EID: 85076313142     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (51)

1. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In ACM Conference on Computer and Communications Security (CCS), 2005.
2. C. N. Abhishek Arya. Fuzzing for Security (The Chromium Blog). http://blog.chromium.org/2012/04/fuzzing-for-security.html, 2012.
3. P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors. In USENIX Security Symposium (Security), 2009.
4. Bad casting: From BasicThebesLayer to BasicContainerLayer. Mozilla Bugzilla - Bug 1074280. https://bugzilla.mozilla.org/show_bug.cgi?id=1074280, Nov 2014.
5. Bad-casting from PRCListStr to nsSHistory. Mozilla Bugzilla - Bug 1089438. https://bugzilla.mozilla.org/show_bug.cgi?id=1089438, Nov 2014.
6. N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In USENIX Security Symposium (Security), 2014.
7. S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data Attacks Are Realistic Threats. In USENIX Security Symposium (Security), 2005.
8. Chris Evans. Using ASAN as a protection. http://scarybeastsecurity.blogspot.com/2014/09/ using-asan-as-protection.html, Nov 2014.
9. Chromium. Chromium Revision 285353 - Blacklist for UBsan’s vptr. https://src.chromium.org/viewvc/chrome?view=revision&revision=285353, Jul 2014.
10. Chromium. Chromium project: Log of /trunk/src/tools/ubsan_vptr/blacklist.txt. https://src.chromium.org/viewvc/chrome/trunk/src/tools/ubsan_vptr/blacklist.txt? view=log, Nov 2014.
11. Clang Documentation. MSVC Compatibility. http://clang.llvm.org/docs/MSVCCompatibility.html, Nov 2014.
12. CodeSourcery, Compaq, EDG, HP, IBM, Intel, R. Hat, and SGI. Itanium C++ ABI (Revision: 1.83). http://mentorembedded.github.io/cxx-abi/abi.html, 2005.
13. CodeSourcery, Compaq, EDG, HP, IBM, Intel, Red Hat, and SGI. C++ ABI Closed Issues. www.codesourcery.com/public/cxx-abi/cxx-closed.html, Nov 2014.
14. J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. Secure virtual architecture: A safe execution environment for commodity operating systems. In ACM SIGOPS Symposium on Operating Systems Principles (SOSP), 2007.
15. Dai Mikurube. C++ Object Type Identifier for Heap Profiling. http://www.chromium.org/developers/deep-memory-profiler/cpp-object-type-identifier, Nov 2014.
16. M. Daniel, J. Honoroff, and C. Miller. Engineering Heap Overflow Exploits with JavaScript. In USENIX Workshop on Offensive Technologies (WOOT), 2008.
17. L. Davi, D. Lehmann, A.-R. Sadeghi, and F. Monrose. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In USENIX Security Symposium (Security), 2014.
18. GCC. Arrays of Variable Length. https://gcc.gnu.org/onlinedocs/gcc/Variable-Length.html, Jun 2015.
19. E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming Control-Flow Integrity. In IEEE Symposium on Security and Privacy (SP), 2014.
20. E. Göktaş, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In USENIX Security Symposium (Security), 2014.
21. Google. Octane Benchmark. https://code.google.com/p/ octane-benchmark, Aug 2014.
22. Google. Specialized memory allocator for ThreadSanitizer, MemorySanitizer, etc. http://llvm.org/klaus/compiler-rt/blob/7385f8b8b8723064910cf9737dc929e90aeac548/ lib/sanitizer_common/sanitizer_allocator.h, Nov 2014.
23. R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In Winter 1992 USENIX Conference, 1991.
24. D. Jang, Z. Tatlock, and S. Lerner. SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks. In Network and Distributed System Security Symposium (NDSS), 2014.
25. T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In USENIX Annual Technical Conference (ATC), 2002.
26. I. JTC1/SC22/WG21. ISO/IEC 14882:2013 Programming Language C++ (N3690). https://isocpp.org/files/papers/N3690.pdf, 2013.
27. LLVM Project. How to set up LLVM-style RTTI for your class hierarchy. http://llvm.org/docs/HowToSetUpLLVMStyleRTTI.html, Nov 2014.
28. J. Mihalicza, Z. Porkoláb, and A. Gabor. Type-preserving heap profiler for c++. In IEEE International Conference on Software Maintenance (ICSM), 2011.
29. Mozilla. DROMAEO, JavaScript Performance Testing. http://dromaeo.com, Aug 2014.
30. Multiple undefined behaviors (static_cast<>) in libstdc++v3/include/bits. GCC Bugzilla - Bug 63345. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63345, Nov 2014.
31. MWR Labs. MWR Labs Pwn2Own 2013 Write-up: Webkit Exploit. https://labs.mwrinfosecurity.com/blog/2013/04/19/ mwr- labs- pwn2own- 2013- write- up- - - webkit- exploit/, 2013.
32. S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2009.
33. G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. Ccured: Type-safe retrofitting of legacy software. ACM Transactions on Programming Languages and Systems (TOPLAS), 2005.
34. N. Nethercote and J. Seward. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2007.
35. Qualys Security Advisory. Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow. http://www.openwall.com/lists/oss-security/2015/01/27/9, Jun 2015.
36. K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. AddressSanitizer: A Fast Address Sanity Checker. In USENIX Annual Technical Conference (ATC), 2012.
37. S. Shende, A. D. Malony, J. Cuny, P. Beckman, S. Karmesin, and K. Lindlan. Portable profiling and tracing for parallel, scientific applications using c++. In ACM SIGMETRICS Symposium on Parallel and Distributed Tools (SPDT), 1998.
38. A. Sotirov. Heap Feng Shui in JavaScript. Black Hat Europe, 2007.
39. Standard Performance Evaluation Corporation. SPEC CPU 2006. http://www.spec.org/cpu2006, Aug 2014.
40. The Chromium Project. http://www.chromium.org/Home, Aug 2014.
41. The Chromium Project. Chromium Issues - Bug 387016. http://code.google.com/p/chromium/issues/detail?id=387016, Nov 2014.
42. The Chromium Projects. Undefined Behavior Sanitizer for Chromium. http://www.chromium.org/developers/testing/undefinedbehaviorsanitizer, Nov 2014.
43. The LLVM Compiler Infrastructure. http://llvm.org, Aug 2014.
44. The Mozilla Foundation. Firefox Web Browser. https://www.mozilla.org/firefox, Nov 2014.
45. C. Tice. Improving Function Pointer Security for Virtual Method Dispatches. In GNU Tools Cauldron Workshop, 2012.
46. TIS Committee. Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification Version 1.2. TIS Committee, 1995.
47. WebKit. SunSpider 1.0.2 JavaScript Benchmark. https://www.webkit.org/perf/sunspider/sunspider.html, Aug 2014.
48. W. Xu, D. C. DuVarney, and R. Sekar. An efficient and backwards-compatible transformation to ensure memory safety of c programs. In ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE), 2004.
49. B. Zeng, G. Tan, and G. Morrisett. Combining Control-flow Integrity and Static Analysis for Efficient and Validated Data Sand-boxing. In ACM Conference on Computer and Communications Security (CCS), 2011.
50. C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical Control Flow Integrity and Randomization for Binary Executables. In IEEE Symposium on Security and Privacy (SP), 2013.
51. M. Zhang and R. Sekar. Control Flow Integrity for COTS Binaries. In USENIX Security Symposium (Security), 2013.