Full Program »
Towards Automated Integrity Protection of C++ Virtual Function Tables in Binary Programs
Presentation 116KB |
nowadays. They are prone to dangling pointers that result in use-after-free
vulnerabilites and this is the de-facto way to exploit them. From a technical
point of view, an attacker uses a technique called vtable hijacking to exploit
such bugs. More specifically, she crafts bogus virtual tables and lets a freed
C++ object point to it in order to gain control over the program at virtual
function call sites.
In this paper, we present a novel approach towards mitigating and detecting such
attacks against C++ binary code. We propose a static binary analysis technique
to extract virtual function call site information in an automated way.
Leveraging this information, we instrument the given binary executable and add
runtime policy enforcements to thwart the illegal usage of these call sites.
We implemented the proposed techniques in a prototype called T-VIP and
successfully hardened three versions of Microsoft’s Internet Explorer and
Mozilla Firefox. An evaluation with several zero-day exploits demonstrates that
our method prevents all of them. Performance benchmarks both on micro and macro
level indicate that the overhead is reasonable with about 2.2 %, which is only
slightly higher compared to recent compiler-based approaches that address this
problem.
Author(s):
Robert Gawlik
Ruhr-University Bochum
Germany
Thorsten Holz
Ruhr-University Bochum
Germany