vfGuard: Strict Protection for Virtual Function Calls in COTS C++ Binaries

22nd Annual Network and Distributed System Security Symposium, NDSS 2015

Volumn , Issue , 2015, Pages

  Prakash, Aravind ^a   Hu, Xunchao ^a   Yin, Heng ^a  

^a SYRACUSE UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

C++ (PROGRAMMING LANGUAGE); OPEN SOURCE SOFTWARE; OPEN SYSTEMS;

CONTROL-FLOW; CONTROL-FLOW INTEGRITIES; FLOW RESTRICTION; FUNCTION CALLS; INTEGRITY POLICY; INTEGRITY PROTECTION; PROTOTYPE SYSTEM; SECURITY PROPERTIES; STRINGENTS; VIRTUAL FUNCTIONS;

SEMANTICS;

EID: 85119250464     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss.2015.23297     Document Type: Conference Paper

References (40)

1. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, “Control-flow integrity, ” in Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS'05), 2005, pp. 340-353.
2. C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou, “Practical control flow integrity and randomization for binary executables, ” in Proceedings of the IEEE Symposium on Security and Privacy (Oakland'13), 2013, pp. 559-573.
3. M. Zhang and R. Sekar, “Control flow integrity for COTS binaries, ” in Proceedings of the 22nd USENIX Security Symposium (Usenix Security'13), 2013, pp. 337-352.
4. B. Niu and G. Tan, “RockJIT: Securing just-in-time compilation using modular control-flow integrity, ” in Proceedings of 21st ACM Conference on Computer and Communication Security (CCS'14), 2014.
5. B. Niu and G. Tan, “Modular control-flow integrity, ” in Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'14), 2014.
6. L. Davi, A. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nürnberger, and A.-r. Sadeghi, “MoCFI: A framework to mitigate control-flow attacks on smartphones, ” in Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS'12), 2012.
7. D. Jang, Z. Tatlock, and S. Lerner, “SafeDispatch: Securing C++ virtual calls from memory corruption attacks, ” in Proceedings of 21st Annual Network and Distributed System Security Symposium (NDSS'14), 2014.
8. C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike, “Enforcing forward-edge control-flow integrity in GCC & LLVM, ” in Proceedings of 23rd USENIX Security Symposium (USENIX Security'14), 2014, pp. 941-955.
9. E. Göktaş, E. Anthanasopoulos, H. Bos, and G. Portokalidis, “Out of control: Overcoming control-flow integrity, ” in Proceedings of 35th IEEE Symposium on Security and Privacy (Oakland'14), 2014.
10. N. Carlini and D. Wagner, “ROP is still dangerous: Breaking modern defenses, ” in 23rd USENIX Security Symposium (USENIX Security'14), 2014.
11. “Stack Shield, ” http://www.angelfire.com/sk/stackshield/.
12. F. Chagnon, “IDA-Decompiler, ” https://github.com/EiNSTeiN-/idadecompiler.
13. “Itanium C++ ABI, ” http://mentorembedded.github.io/cxx-abi/abi.html.
14. J. Ray, “C++: Under the hood, ” http://www.openrce.org/articles/files/jangrayhood.pdf, March 1994.
15. B. Stroustrup, The C++ Programming Language, 4th ed. Addison-Wesley, 2013.
16. “THISCALL calling convention, ” http://msdn.microsoft.com/enus/library/ek8tkfbw.aspx, 2013.
17. D. Dewey and J. T. Giffin, “Static detection of C++ vtable escape vulnerabilities in binary code.” in Proceedings of 19th Annual Network and Distributed System Security Symposium (NDSS'12), 2012.
18. Nektra, “Vtbl - IDA plugin, ” https://github.com/nektra/vtbl-ida-proplugin, 2013.
19. C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood, “Pin: Building customized program analysis tools with dynamic instrumentation, ” in Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'05), 2005, pp. 190-200.
20. V. Bala, E. Duesterwald, and S. Banerjia, “Dynamo: A transparent dynamic optimization system, ” in Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation (PLDI'00), 2000, pp. 1-12.
21. “The IDA Pro disassembler and debugger, ” https://www.hexrays.com/products/ida/.
22. M. Laurenzano, M. Tikir, L. Carrington, and A. Snavely, “PEBIL: Efficient static binary instrumentation for linux, ” in Proceedings of IEEE International Symposium on Performance Analysis of Systems Software (ISPASS'10), March 2010.
23. S. S. Muchnick, Advanced Compiler Design and Implementation. San Francisco, CA, USA: Morgan Kaufmann Publishers Inc., 1997.
24. R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck, “Efficiently computing static single assignment form and the control dependence graph, ” ACM Transactions on Programming Languages and Systems (TOPLAS), 1991.
25. A. Srivastava, A. Edwards, and H. Vo, “Vulcan: Binary transformation in a distributed environment, ” Microsoft Research, Tech. Rep. MSR-TR-2001-50, April 2001.
26. “Browser Helper Objects, ” http://sysinfo.org/bhoinfo.html.
27. “Using dllimport and dllexport in C++ classes, ” http://msdn.microsoft.com/en-us/library/81h27t8c.aspx.
28. J. Criswell, N. Dautenhahn, and V. Adve, “KCoFI: Complete control-flow integrity for commodity operating system kernels, ” in Proceedings of 35th IEEE Symposium on Security and Privacy (Oakland'14), 2014.
29. S. McCamant and G. Morrisett, “Evaluating SFI for a CISC Architecture, ” in Proceedings of the 15th Annual USENIX Security Symposium (Usenix Security'06), 2006.
30. A. Prakash, H. Yin, and Z. Liang, “Enforcing system-wide control flow integrity for exploit detection and diagnosis, ” in Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIACCS'13), 2013, pp. 311-322.
31. M. Miller and K. Johnson, “Using virtual table protections to prevent the exploitation of object corruption vulnerabilities, ” Patent, Jun. 7, 2012, US Patent App. 12/958, 668. [Online]. Available: http://www.google.com/patents/US20120144480
32. R. Gawlik and T. Holz, “Towards automated integrity protection of C++ virtual function tables in binary programs, ” in Proceedings of 30th Annual Computer Security Applications Conference (ACSAC'14), Dec 2014.
33. C. Zhang, C. Song, Z. K. Chen, Z. Chen, and D. Song, “VTint: defending virtual function tables integrity, ” in Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS'15), 2015.
34. J. H. Lee, T. Avgerinos, and D. Brumley, “Tie: Principled reverse engineering of types in binary programs, ” in Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS'11), 2011.
35. Z. Lin, X. Zhang, and D. Xu, “Automatic reverse engineering of data structures from binary execution, ” in Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS'10), 2010.
36. P. V. Sabanal and M. V. Yason, “Reversing C++, ” Blackhat Security Conference, 2007.
37. A. Fokin, E. Derevenetc, A. Chernov, and K. Troshina, “Smartdec: Approaching C++ decompilation, ” in Reverse Engineering (WCRE), 2011 18th Working Conference on, 2011, pp. 347-356.
38. W. Jin, C. Cohen, J. Gennari, C. Hines, S. Chaki, A. Gurfinkel, J. Havrilla, and P. Narasimhan, “Recovering C++ objects from binaries using inter-procedural data-flow analysis, ” in Proceedings of ACM SIGPLAN on Program Protection and Reverse Engineering Workshop (PPREW'14), 2014, pp. 1-11.
39. “Boomerang decompiler, ” http://boomerang.sourceforge.net/.
40. I. Skochinsky, “Practical C++ decompilation.” [Online]. Available: https://archive.org/details/Recon_2011_Practical_Cpp_decompilation