SAFEDISPATCH: Securing C++ Virtual Calls from Memory Corruption Attacks

21st Annual Network and Distributed System Security Symposium, NDSS 2014

Volumn , Issue , 2014, Pages

  Jang, Dongseok ^a   Tatlock, Zachary ^b   Lerner, Sorin ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b School of Medicine Billings   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

C++ (PROGRAMMING LANGUAGE); COMPUTER SOFTWARE;

COMPLETE CONTROL; CONTROL DATA; CONTROL-FLOW; CREATIVES; MEMORY CORRUPTION ATTACKS; PROGRAM CONTROL; PROGRAM EXECUTION; PROGRAMMING ERRORS; UNDERLYING SYSTEMS; VIRTUAL TABLES;

BENCHMARKING;

EID: 85180403748     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss/2014.23287     Document Type: Conference Paper

References (43)

1. C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, “Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks,” in USENIX Security, 1998.
2. Microsoft, “A detailed description of the data execution prevention (dep) feature in windows xp service pack 2, windows xp tablet pc edition 2005, and windows server 2003,” http://support.microsoft.com/kb/875352.
3. E. D. Berger and B. G. Zorn, “Diehard: probabilistic memory safety for unsafe languages,” in PLDI, 2006.
4. rix, “Smashing c++ vptrs,” http://www.phrack.org/issues.html?issue=56&id=8, 2000.
5. O. Vertanen, “Java type confusion and fault attacks,” in FDTC, 2006.
6. D. Dewey and J. Giffin, “Static detection of c++ vtable escape vulnerabilities in binary code,” in NDSS, 2012.
7. Microsoft, “Vulnerability in Internet Explorer could allow remote code execution,” http://technet.microsoft.com/en-us/security/advisory/ 961051, 2008.
8. H. D. Moore, “Microsoft Internet Explorer data binding memory corruption,” http://packetstormsecurity.com/files/86162/Microsoft-Internet-Explorer-Data-Binding-Memory-Corruption.html, 2010.
9. Google, “Heap-use-after-free in WebCore (exploitable),” https://code.google.com/p/chromium/issues/detail?id=162835, 2012.
10. Symantec, “Microsoft Internet Explorer virtual function table remote code execution vulnerability,” http://www.symantec.com/security_ response/vulnerability.jsp?bid=54951, 2012.
11. VUPEN, “Exploitation of Mozilla Firefox use-after-free vulnerability,” http://www.vupen.com/blog/20120625.Advanced_Exploitation_ of-Mozilla_Firefox_UaF_CVE-2012-0469.php, 2012.
12. C. Evans, “Exploiting 64-bit Linux like a boss,” http://scarybeastsecurity.blogspot.com/2013/02/exploiting-64-bit-linux-like-boss.html, 2013.
13. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, “Control-flow integrity,” in CCS, 2005.
14. C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou, “Practical control flow integrity & randomization for binary executables,” in Proceedings of the 34th IEEE Symposium on Security and Privacy, San Francisco, CA, 2013.
15. B. Zeng, G. Tan, and G. Morrisett, “Combining control-flow integrity and static analysis for efficient and validated data sandboxing,” in Proceedings of the 18th ACM conference on Computer and communications security. ACM, 2011, pp. 29–40.
16. B. Zeng, G. Tan, and Ú. Erlingsson, “Strato-a retargetable framework for low-level inlined-reference monitors,” in USENIX Security Symposium, 2013.
17. M. Zhang and R. Sekar, “Control flow integrity for cots binaries,” in USENIX Security Symposium, 2013.
18. C. Grier, S. Tang, and S. T. King, “Secure web browsing with the op web browser,” in IEEE Security and Privacy, 2008.
19. C. Reis, A. Barth, and C. Pizano, “Browser security: lessons from google chrome,” in CACM, 2009.
20. A. Barth, C. Jackson, and C. Reis, “The security architecture of the chromium browser,” in Technical Report, 2008.
21. C. Lattner and V. Adve, “Llvm: A compilation framework for lifelong program analysis & transformation,” in CGO, 2004.
22. J. Dean, D. Grove, and C. Chambers, “Optimization of object-oriented programs using static class hierarchy analysis,” in ECOOP, 1995.
23. Google, “Octane javascript benchmark suite,” https://developers.google.com/octane/, 2013.
24. Apple, “Sunspider 1.0 javascript benchmark suite,” https://www.webkit.org/perf/sunspider/sunspider.html, 2013.
25. Mozilla, “Kraken 1.1 javascript benchmark suite,” http://krakenbenchmark.mozilla.org/, 2013.
26. WebKit, “Rendering performance tests,” https://code.google.com/p/webkit-mirror/source/browse/PerformanceTests/, 2013.
27. C. Tice, “Improving function pointer security for virtual method dispatches,” http://gcc.gnu.org/wiki/cauldron2012?action=AttachFile&do=get&target=cmtice.pdf, 2012.
28. C. Tice, “Gcc vtable security hardening proposal,” http://gcc.gnu.org/ml/gcc-patches/2012-11/txt00001.txt, 2012.
29. D. Dewey and J. T. Giffin, “Static detection of c++ vtable escape vulnerabilities in binary code,” in NDSS, 2012.
30. G. E. Collins, “A method for overlapping and erasure of lists,” in CACM, 1960.
31. D. J. Roth and D. S. Wise, “One-bit counts between unique and sticky,” in ISMM, 1998.
32. Y. Levanoni and E. Petrank, “An on-the-fly reference-counting garbage collector for java,” in TOPLAS, 2006.
33. G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer, “Ccured: type-safe retrofitting of legacy software,” in TOPLAS, 2005.
34. J. Condit, M. Harren, S. McPeak, G. C. Necula, and W. Weimer, “Ccured in the real world,” in PLDI, 2003.
35. T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang, “Cyclone: A safe dialect of c,” in USENIX ATEC, 2002.
36. W. Xu, D. C. DuVarney, and R. Sekar, “An efficient and backwards-compatible transformation to ensure memory safety of c programs,” in SIGSOFT, 2004.
37. J. Condit, M. Harren, Z. Anderson, D. Gay, and G. C. Necula, “Dependent types for low-level programming,” in ESOP, 2007.
38. M. R. Miller and K. D.Johnson, “Using virtual table protections to prevent the exploitation of object corruption vulnerabilities,” http://patentimages.storage.googleapis.com/pdfs/US20120144480.pdf, 2010.
39. J. Caballero, G. Grieco, M. Marron, and A. Nappa, “Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities,” in ISSTA, 2012.
40. N. Nethercote and J. Seward, “Valgrind: a framework for heavyweight dynamic binary instrumentation,” in PLDI, 2007.
41. G. Novark and E. D. Berger, “Dieharder: securing the heap,” in CCS, 2010.
42. H. Shacham, “The geometry of innocent flesh on the bone: return-intolibc without function calls (on the x86),” in CCS, 2007.
43. P. Team, “Pax address space layout randomization,” http://pax.grsecurity.net/docs/aslr.txt.