VTint: Protecting Virtual Function Tables' Integrity

22nd Annual Network and Distributed System Security Symposium, NDSS 2015

Volumn , Issue , 2015, Pages

  Zhang, Chao ^a   Song, Chengyu ^c   Chen, Kevin Zhijie ^a   Chen, Zhaofeng ^b   Song, Dawn ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b PEKING UNIVERSITY   (China)

^c GEORGIA INSTITUTE OF TECHNOLOGY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ACCESS CODES; CONTROL DATA; CONTROL-FLOW; DEFENSE SOLUTIONS; FUNCTION CALLS; FUNCTION POINTERS; HEAP OVERFLOW; VIRTUAL FUNCTION TABLES; VIRTUAL FUNCTIONS; VIRTUAL TABLES;

SOFTWARE ENGINEERING;

EID: 85114493450     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss.2015.23099     Document Type: Conference Paper

References (53)

1. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, “Control-flow integrity, ” in ACM Conference on Computer and Communications Security (CCS), 2005.
2. S. Andersen and V. Abella, “Data Execution Prevention: Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies, ” http://technet.microsoft.com/en-us/library/bb457155.aspx, 2004.
3. Apple, “Sunspider 1.0.2 javascript benchmark suite, ” https://www.webkit.org/perf/sunspider/sunspider.html, 2014.
4. E. D. Berger and B. G. Zorn, “Diehard: probabilistic memory safety for unsafe languages, ” in PLDI, vol. 41, no. 6. ACM, 2006, pp. 158-168.
5. S. BRADSHAW, “Heap Spray Exploit Tutorial: Internet Explorer Use After Free Aurora Vulnerability, ” http://www.thegreycorner.com/2010/01/heap-spray-exploit-tutorial-internet. html, 2010.
6. S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer, “Non-control-data attacks are realistic threats, ” in USENIX Security Symposium, 2005.
7. s. corelanc0d3r, “MS13-069 Microsoft Internet Explorer CCaret Use-After-Free, ” http://www.exploit-db.com/exploits/28481/, 2013.
8. C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton, “StackGuard: Automatic adaptive detection and prevention of buffer-overflow attack, ” in USENIX Security Symposium, 1998.
9. D. Dewey and J. T. Giffin, “Static detection of c++ vtable escape vulnerabilities in binary code.” in NDSS, 2012.
10. D. Dhurjati and V. Adve, “Backwards-compatible array bounds checking for c with very low overhead, ” in Proceedings of the 28th international conference on Software engineering. ACM, 2006, pp. 162-171.
11. A. Edwards, A. Srivastava, and H. Vo, “Vulcan: binary transformation in a distributed environment, ” Microsoft Research, Tech. Rep. MSR-TR-2001-50, 2001.
12. FutureMark, “Peacekeeper: HTML5 browser speed test, ” http://peacekeeper.futuremark.com/, 2014.
13. E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis, “Out of control: Overcoming control-flow integrity, ” in IEEE S&P, 2014.
14. Google, “Octane JavaScript benchmark suite, ” https://developers.google.com/octane/, 2014.
15. J. Gruskovnjak, “Advanced Exploitation of Mozilla Firefox Use-after-free Vulnerability (MFSA 2012-22), ” http://www.vupen.com/blog/20120625.Advanced_Exploitation_of_Mozilla_Firefox_UaF_CVE-2012-0469.php, 2012.
16. J. L. Henning, “SPEC CPU2000: Measuring CPU Performance in the New Millennium, ” Computer, Jul. 2000.
17. J. L. Henning, “SPEC CPU2006 benchmark descriptions, ” SIGARCH Comput. Archit. News, vol. 34, pp. 1-17, Sep. 2006.
18. Hex-Rays SA, “IDA Pro: a cross-platform multi-processor disassembler and debugger.” http://www.hex-rays.com/products/ida/index.shtml.
19. J. Hiser, A. Nguyen-tuong, M. Co, M. Hall, and J. W. Davidson, “ILR: Where'd my gadgets go, ” in IEEE Symposium on Security and Privacy, 2012.
20. D. Jang, Z. Tatlock, and S. Lerner, “SAFEDISPATCH: Securing C++ Virtual Calls from Memory Corruption Attacks, ” in 20th Annual Network and Distributed System Security Symposium, 2014.
21. V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song, “Code-pointer integrity, ” OSDI'14, 2014, 00000. [Online]. Available: https://www.usenix.org/system/files/conference/osdi14/osdi14-paper-kuznetsov.pdf?utm_source= dlvr.it&utm_medium=tumblr
22. S. B. Lippman, Inside the C++ object model. Addison-Wesley Reading, 1996, vol. 242.
23. Metasploit, “Firefox XMLSerializer Use After Free, ” http://www.exploit-db.com/exploits/27940/, 2013.
24. Metasploit Open Source Commitment, “Metasploit Penetration Testing Software & Framework, ” http://metasploit.com.
25. Microsoft, “Software vulnerability exploitation trends: Exploring the impact of software mitigations on patterns of vulnerability exploitation (2013), ” http://download.microsoft.com/download/F/D/F/FDFBE532-91F2-4216-9916-2620967CEAF4/Software% 20Vulnerability%20Exploitation%20Trends.pdf, 2013.
26. Microsoft IE, “LiteBrite: HTML, CSS and JavaScript Performance Benchmark, ” http://ie.microsoft.com/testdrive/Performance/LiteBrite/, 2014.
27. Microsoft Visual Studio 2005, “Image has safe exception handlers, ” http://msdn.microsoft.com/en-us/library/9a89h429%28v=vs.80%29.aspx.
28. M. R. Miller, K. D. Johnson, and T. W. Burrell, “Using virtual table protections to prevent the exploitation of object corruption vulnerabilities, ” Mar. 25 2014, uS Patent 8, 683, 583.
29. Mozilla, “Kraken 1.1 javascript benchmark suite, ” http://krakenbenchmark.mozilla.org/, 2014.
30. MWR Lab, “MWR Labs Pwn2Own 2013 Write-up - Webkit Exploit, ” https://labs.mwrinfosecurity.com/blog/2013/04/19/mwr-labs-pwn2own-2013-write-up-webkit-exploit/, 2013.
31. S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic, “SoftBound: highly compatible and complete spatial memory safety for C, ” in Conference of Programming Language Design and Implementation (PLDI), 2009.
32. S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic, “CETS: compiler enforced temporal safety for C, ” in International Symposium on Memory Management (ISMM), 2010.
33. B. Niu and G. Tan, “Modular control-flow integrity, ” in Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM, 2014, p. 58.
34. G. Novark and E. D. Berger, “Dieharder: securing the heap, ” in Proceedings of the 17th ACM conference on Computer and communications security. ACM, 2010, pp. 573-584.
35. Offensive Security, “The exploit database: an ultimate archive of exploits and vulnerable software, ” http://www.exploit-db.com/.
36. H. Patil and C. Fischer, “Low-cost, concurrent checking of pointer and array accesses in c programs, ” Softw., Pract. Exper., vol. 27, no. 1, pp. 87-110, 1997.
37. PaX Team, “PaX address space layout randomization (ASLR), ” http://pax.grsecurity.net/docs/aslr.txt, 2003.
38. A. Pelletier, “Advanced Exploitation of Internet Explorer Heap Overflow (Pwn2Own 2012 Exploit), ” http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php, 2012.
39. M. Prasad and T.-c. Chiueh, “A binary rewriting defense against stack based buffer overflow attacks, ” in USENIX Annual Technical Conference, 2003.
40. R. regenrecht, “Mozilla Firefox 3.6.16 mChannel use after free vulnerability, ” http://www.exploit-db.com/exploits/17650/, 2011.
41. RightWare, “Browsermark 2.1 benchmark, ” http://browsermark.rightware.com/, 2014.
42. rix, “Smashing C++ VPTRs, ” http://phrack.org/issues/56/8.html, 2000.
43. B. Schwarz, S. Debray, and G. Andrews, “Disassembly of executable code revisited, ” in Working Conference on Reverse Engineering, 2002.
44. J. Seward and N. Nethercote, “Using valgrind to detect undefined value errors with bit-precision.” in USENIX Annual Technical Conference, General Track, 2005, pp. 17-30.
45. H. Shacham, “The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86), ” in ACM Conference on Computer and Communications Security (CCS), 2007.
46. H. Shacham, M. Page, B. Pfaff, E.-j. Goh, N. Modadugu, and D. Boneh, “On the effectiveness of address-space randomization, ” Proceedings of the 11th ACM conference on Computer and communications security (CCS'04), p. 298, 2004.
47. V. Thampi, “Udis86 disassembler library for x86, ” http://udis86.sourceforge.net/.
48. C. Tice, “Gcc vtable security hardening proposal, ” https://gcc.gnu.org/ml/gcc-patches/2012-11/txt00001.txt, 2012.
49. C. Tice, “Improving function pointer security for virtual method dispatches, ” in GNU Tools Cauldron Workshop, 2012.
50. Z. Wang and X. Jiang, “HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity, ” in IEEE Symposium on Security and Privacy, 2010.
51. W. Xu, D. C. DuVarney, and R. Sekar, “An efficient and backwards-compatible transformation to ensure memory safety of c programs, ” in ACM SIGSOFT Software Engineering Notes, vol. 29, no. 6. ACM, 2004, pp. 117-126.
52. C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou, “Practical control flow integrity and randomization for binary executables, ” in Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013, pp. 559-573.
53. M. Zhang and R. Sekar, “Control flow integrity for cots binaries.” in USENIX Security, 2013, pp. 337-352.