Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of Washington

Published byInge Rachman Modified over 5 years ago

Similar presentations

Presentation on theme: "University of Washington"— Presentation transcript:

1 University of Washington
SafeDispatch Securing C++ Virtual Function Calls from Memory Corruption Attacks Dongseok Jang Zachary Tatlock Sorin Lerner UC San Diego University of Washington

2 Vulnerable

3 Control Flow Hijacking
Lead Program to Jump to Unexpected Code That does what attacker wants Example: Stack Buffer Overflow Attacks Well studied and hard to be critical by itself New Frontier : Vtable Hijacking

4 Mechanism for Virtual Functions
Vtable Pointers Mechanism for Virtual Functions x class C { virtual int foo(); virtual int bar(); int fld; }; ... C *x = new C(); vptr fld foo bar foo’s impl bar’s impl heap obj vtable

5 Virtual Call : 2-Step Dereferencing for Callee
Vtable Pointers Virtual Call : 2-Step Dereferencing for Callee x->foo(); x vptr = *((FPTR**)x); f = *(vptr + 0); f(x); vptr fld foo bar foo’s impl bar’s impl heap obj vtable

6 Vtable Hijacking x->foo(); x Arbitrary Code fake vtable bad fld foo
vptr = *((FPTR**)x); f = *(vptr + 0); f(x); bad fld foo bar foo’s impl bar’s impl heap obj vtable

7 Vtable Hijacking via Use-after-Free
Use Corrupted Data for x’s vptr x x C *x = new C(); x->foo(); delete x; // forget x = NULL; ... D *y = new D(); y->buf[0] = input(); candidate for reallocation C::vptr x’s fld corrupted buf[1] buf[0] buf[1] y

8 Vtable Hijacking: Real Case
Vtable Hijacking of Chrome via Use-after-Free Pinkie Pie’s demonstration at Pwn2Own Used to trigger ROP for sandbox escaping of Chrome Found in IE, Firefox, Chrome

9 With Accuracy & Low Overhead?
How to Prevent Vtable Hijacking? With Accuracy & Low Overhead?

10 Code Instrumentation C *x = ... Check(x); x->foo();

11 Valid(C) = { vptr of C or C’s subclasses }
Code Instrumentation C *x = ... ASSERT(VPTR(x) ∈ Valid(C)); x->foo(); Valid(C) = { vptr of C or C’s subclasses } Obtained by class hierarchy analysis (CHA)

12 Simple Implementation Can Be Slow
Code Instrumentation C *x = ... ASSERT(VPTR(x) ∈ Valid(C)); x->foo(); Simple Implementation Can Be Slow Involved data structure lookup/function calls

13 Inlining Optimization
C *x = ... ASSERT(VPTR(x) ∈ Valid(C)); x->foo() x->foo(); vptr = *((FPTR**)x); f = *(vptr + 0); f(x);

14 Inlining Optimization
C *x = ... ASSERT(VPTR(x) ∈ Valid(C)); vptr = *((FPTR**)x); // f = *(vptr + 0); f(x); ASSERT(vptr ∈ Valid(C));

15 Inlining Optimization
C *x = ... ASSERT(VPTR(x) ∈ Valid(C)); vptr = *((FPTR**)x); ASSERT(vptr ∈ Valid(C)); // // f = *(vptr + 0); f(x); ASSERT(vptr ∈ {C::vptr, D::vptr}); Say that C has only one subclass D  Specialization of Checks

16 Inlining Optimization
C *x = ... ASSERT(VPTR(x) ∈ Valid(C)); vptr = *((FPTR**)x); ASSERT(vptr ∈ Valid(C)); ASSERT(vptr ∈ {C::vptr, D::vptr}); // // // f = *(vptr + 0); f(x); SAFE:

17 Inlining Optimization
C *x = ... ASSERT(VPTR(x) ∈ Valid(C)); vptr = *((FPTR**)x); ASSERT(vptr ∈ Valid(C)); ASSERT(vptr ∈ {C::vptr, D::vptr}); // // // if (vptr == C::vptr) goto SAFE; if (vptr == D::vptr) goto SAFE; exit(-1); SAFE: f = *(vptr + 0); f(x);

18 Inlining Optimization
C *x = ... ASSERT(VPTR(x) ∈ Valid(C)); vptr = *((FPTR**)x); ASSERT(vptr ∈ Valid(C)); ASSERT(vptr ∈ {C::vptr, D::vptr}); How to Order Inlined Checked?  Profile-guided Inlining // // // if (vptr == C::vptr) goto SAFE; if (vptr == D::vptr) goto SAFE; exit(-1); SAFE: f = *(vptr + 0); f(x);

19 Method Pointer Checking
C *x = ... vptr = *((FPTR**)x); ASSERT(vptr ∈ {C::vptr, D::vptr}); f = *(vptr + 0); x->foo() f(x)

20 Method Pointer Checking
C *x = ... vptr = *((FPTR**)x); ASSERT(vptr ∈ {C::vptr, D::vptr}); f = *(vptr + 0); // f(x) ASSERT(f ∈ ValidM(C,foo)); Checking Callee Before It Is Called Provides same security as vtable checking

21 Method Pointer Checking
C *x = ... vptr = *((FPTR**)x); ASSERT(vptr ∈ {C::vptr, D::vptr}); f = *(vptr + 0); // // ASSERT(f ∈ ValidM(C,foo)); f(x) ASSERT(f ∈ {C::foo}); Save Checks for Shared Methods Say that C has one subclass D and D doesn’t override C::foo()

22  Up to 1000 method ptr checks! Vtable Checking Can Be Faster
Member Pointers in C++ A *x = ... // m: index into a vtable // x->*m can be any methods of A (x->*m)() Say that A has 1000 methods  Up to 1000 method ptr checks! Vtable Checking Can Be Faster

23 Method Pointer Checking
Fewer Checks for Usual Virtual Calls More Checks for Member Pointer Calls

24 Hybrid Checking Method Checking for Usual Virtual Calls
Vtable Checking for Member Pointer Calls

25 Inserted Checks in Read-Only Memory Checking Data in Read-Only Memory
Tamper Resistance Inserted Checks in Read-Only Memory Checking Data in Read-Only Memory

26 Performance: Benchmark
Chromium Browser Realistic : ≈ 3 millions of C++/C LOC Popular target of vtable hijacking Running On JS, HTML5 Benchmark

27 Performance Unoptimized (Avg: 23%)

28 Profile-Guided Inlining (Avg: 6%)
Performance Profile-Guided Inlining (Avg: 6%)

29 Inlined Method Ptr Checking (3%)
Performance Inlined Method Ptr Checking (3%)

30 Hybrid Checking (Avg: 2%)
Performance Hybrid Checking (Avg: 2%)

31 Checking Data + Inlined Checks
Code Size Overhead 7% Code Size Increase 8.3 MB out of 119 MB Checking Data + Inlined Checks

32 Future Work Separate Compilation Dynamic Link Library
Link-time CHA / inlining Dynamic Link Library Runtime update of checking data

33 Compiler-based Approach
Summary Vtable Hijacking Often happening in web browsers Compiler-based Approach Code Instrumentation / static Analysis Realistic Overhead Careful compiler optimizations

34 Thank you!

Download ppt "University of Washington"

Similar presentations

Dynamic Memory Management

Dynamic Memory Management
HARDWARE SOFTWARE PARTITIONING AND CO-DESIGN PRINCIPLES MADHUMITA RAMESH BABU SUDHI PROCH 1/37.

HARDWARE SOFTWARE PARTITIONING AND CO-DESIGN PRINCIPLES MADHUMITA RAMESH BABU SUDHI PROCH 1/37.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Chris Riesbeck, Fall 2007 Dynamic Memory Allocation Today Dynamic memory allocation – mechanisms & policies Memory bugs.

Chris Riesbeck, Fall 2007 Dynamic Memory Allocation Today Dynamic memory allocation – mechanisms & policies Memory bugs.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Various languages….  Could affect performance  Could affect reliability  Could affect language choice.

Various languages….  Could affect performance  Could affect reliability  Could affect language choice.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.

Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.
Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...

Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
San Diego Supercomputer Center Performance Modeling and Characterization Lab PMaC Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation.

San Diego Supercomputer Center Performance Modeling and Characterization Lab PMaC Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation.
1 ES 314 Advanced Programming Lec 3 Sept 8 Goals: complete discussion of pointers discuss 1-d array examples Selection sorting Insertion sorting 2-d arrays.

1 ES 314 Advanced Programming Lec 3 Sept 8 Goals: complete discussion of pointers discuss 1-d array examples Selection sorting Insertion sorting 2-d arrays.
Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...

Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.

Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.

Similar presentations

Ads by Google