research-article

VTPin: practical VTable hijacking protection for binaries

Authors:

Pawel Sarbinowski,

Vasileios P. Kemerlis,

Cristiano Giuffrida,

Elias AthanasopoulosAuthors Info & Claims

ACSAC '16: Proceedings of the 32nd Annual Conference on Computer Security Applications

Pages 448 - 459

https://doi.org/10.1145/2991079.2991121

Published: 05 December 2016 Publication History

Abstract

VTable hijacking has lately been promoted to the de facto technique for exploiting C++ applications, and in particular web browsers. VTables, however, can be manipulated without necessarily corrupting memory, simply by leveraging use-after-free bugs. In fact, in the recent Pwn2Own competitions all major web browsers were compromised with exploits that employed (among others) use-after-free vulnerabilities and VTable hijacking.

In this paper, we propose VTPin: a system to protect against VTable hijacking, via use-after-free vulnerabilities, in large C++ binaries that cannot be re-compiled or re-written. The main idea behind VTPin is to pin all the freed VTable pointers on a safe VTable under VTPin's control. Specifically, for every object deallocation, VTPin deallocates all space allocated, but preserves and updates the VTable pointer with the address of the safe VTable. Hence, any dereferenced dangling pointer can only invoke a method provided by VTPin's safe object. Subsequently, all virtual-method calls due to dangling pointers are not simply neutralized, but they can be logged, tracked, and patched.

Compared to other solutions that defend against VTable hijacking, VTPin exhibits certain characteristics that make it suitable for practical and instant deployment in production software. First, VTPin protects binaries, directly and transparently, without requiring source compilation or binary rewriting. Second, VTPin is not an allocator replacement, and thus it does not interfere with the allocation strategies and policies of the protected program; it intervenes in the deallocation process only when a virtual object is to be freed for preserving the VTable pointer. Third, VTPin is fast; Mozilla Firefox, protected with VTPin, experiences an average overhead of 1%-4.1% when running popular browser benchmarks.

References

[1]

Advanced Exploitation of Mozilla Firefox Use-after-free Vulnerability (MFSA 2012-22). http://www.vupen.com/blog/20120625.Advanced_Exploitation_of_Mozilla_Firefox_UaF_CVE-2012-0469.php.

[2]

Advanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014). http://www.vupen.com/blog/20140520.Advanced_Exploitation_Firefox_UaF_Pwn2Own_2014.php.

[3]

Hooking the memory allocator in Firefox. https://glandium.org/blog/?p=2848.

[4]

Itanium C++ ABI. https://mentorembedded.github.io/cxx-abi/abi.html.

[5]

Pwn2Own 2015: The year every web browser went down. http://www.zdnet.com/article/pwn2own-2015-the-year-every-browser-went-down/.

[6]

Pwn2Own 2016: Hackers Earn $460,000 for 21 New Flaws. http://www.securityweek.com/pwn2own-2016-hackers-earn-460000-21-new-flaws.

[7]

(Pwn2Own) Adobe Flash Player AS3 ConvolutionFilter Use-After-Free Remote Code Execution Vulnerability. http://www.zerodayinitiative.com/advisories/ZDI-15-134/.

[8]

(Pwn2Own) Google Chrome Blink Use-After-Free Remote Code Execution Vulnerability. http://www.zerodayinitiative.com/advisories/ZDI-14-086/.

[9]

realloc() -- GNU C Library. http://bazaar.launchpad.net/~vcs-imports/glibc/master/view/head:/malloc/malloc.c#L4235.

[10]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-Flow Integrity. In Proc. of ACM CCS, pages 340--353, 2005.

Digital Library

[11]

P. Akritidis. Cling: A Memory Allocator to Mitigate Dangling Pointers. In Proc. of USENIX SEC, pages 177--192, 2010.

Digital Library

[12]

S. Andersen and V. Abella. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies, Data Execution Prevention. Microsoft TechNet Library, September 2004. http://technet.microsoft.com/en-us/library/bb457155.aspx.

[13]

E. D. Berger and B. G. Zorn. DieHard: Probabilistic Memory Safety for Unsafe Languages. In Proc. of ACM PLDI, pages 158--168, 2006.

Digital Library

[14]

H.-J. Boehm, A. J. Demers, and S. Shenker. Mostly Parallel Garbage Collection. In Proc. of ACM PLDI, pages 157--164, 1991.

Digital Library

[15]

J. Caballero, G. Grieco, M. Marron, and A. Nappa. Undangle: Early Detection of Dangling Pointers in Use-after-free and Double-free Vulnerabilities. In Proc. of ISSTA, pages 133--143, 2012.

Digital Library

[16]

N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity. In Proc. of USENIX SEC, pages 161--176, 2015.

Digital Library

[17]

N. Carlini and D. Wagner. ROP is Still Dangerous: Breaking Modern Defenses. In Proc. of USENIX SEC, pages 385--399, 2014.

Digital Library

[18]

Chromium OS. Sandbox. https://www.chromium.org/developers/design-documents/sandbox.

[19]

L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In Proc. of USENIX SEC, pages 401--416, 2014.

Digital Library

[20]

D. Dhurjati and V. Adve. Backwards-Compatible Array Bounds Checking for C with Very Low Overhead. In Proc. of ICSE, pages 162--171, 2006.

Digital Library

[21]

I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskos. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity. In Proc. of ACM CCS, pages 901--913, 2015.

Digital Library

[22]

J. Evans. A Scalable Concurrent malloc(3) Implementation for FreeBSD. In Proc. of BSDCan, 2006.

[23]

E. Gamma, R. Helm, R. Johnson, and J. Vlissides. Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley Longman Publishing Co., Inc., 1995.

Digital Library

[24]

R. Gawlik and T. Holz. Towards Automated Integrity Protection of C++ Virtual Function Tables in Binary Programs. In Proc. of ACSAC, pages 396--405, 2014.

Digital Library

[25]

C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum. Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization. In Proc. of USENIX SEC, pages 475--490, 2012.

Digital Library

[26]

E. Göktaş, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out Of Control: Overcoming Control-Flow Integrity. In Proc. of IEEE S&P, pages 575--589, 2014.

Digital Library

[27]

E. Göktaş, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard. In Proc. of USENIX SEC, pages 417--432, 2014.

Digital Library

[28]

R. Hastings and B. Joyce. Purify: Fast Detection of Memory Leaks and Access Errors. In Proc. of USENIX ATC, pages 125--136, 1992.

[29]

M. Hirzel and A. Diwan. On the Type Accuracy of Garbage Collection. In Proc. of ISMM, pages 1--11, 2000.

Digital Library

[30]

M. Hirzel, A. Diwan, and J. Henkel. On the Usefulness of Type and Liveness Accuracy for Garbage Collection and Leak Detection. ACM Trans. Program. Lang. Syst., 24(6):593--624, Nov. 2002.

Digital Library

[31]

J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. ILR: Where'd My Gadgets Go? In Proc. of IEEE S&P, pages 571--585, 2012.

Digital Library

[32]

D. Jang, Z. Tatlock, and S. Lerner. SAFEDISPATCH: Securing C++ Virtual Calls from Memory Corruption Attacks. In Proc. of NDSS, 2014.

[33]

B. Lee, C. Song, Y. Jang, T. Wang, T. Kim, L. Lu, and W. Lee. Preventing Use-after-free with Dangling Pointers Nullification. In Proc. of NDSS, 2015.

[34]

S. Lee, T. Johnson, and E. Raman. Feedback directed optimization of TCMalloc. In Proc. of MSPC, 2014.

Digital Library

[35]

J. Lettner, B. Kollenda, A. Homescu, P. Larsen, F. Schuster, L. Davi, A.-R. Sadeghi, T. Holz, and M. Franz. Subversive-C: Abusing and Protecting Dynamic Message Dispatch. In Proc. of USENIX ATC, pages 209--221, 2016.

[36]

Matt Pietrek. A Crash Course on the Depths of Win32 Structured Exception Handling. January 1997. https://www.microsoft.com/msj/0197/exception/exception.aspx.

[37]

Microsoft. Enhanced Mitigation Experience Toolkit, 2016. http://www.microsoft.com/emet.

[38]

S. Nagarakatte, J. Zhao, M. M. K. Martin, and S. Zdancewic. CETS: Compiler-Enforced Temporal Safety for C. In Proc. of ISMM, pages 31--40, 2010.

Digital Library

[39]

N. Nethercote and J. Seward. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation. In Proc. of ACM PLDI, pages 89--100, 2007.

Digital Library

[40]

G. Novark and E. D. Berger. DieHarder: Securing the Heap. In Proc. of ACM CCS, pages 573--584, 2010.

Digital Library

[41]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization. In Proc. of IEEE S&P, pages 601--615, 2012.

Digital Library

[42]

PaX Team. Address Space Layout Randomization (ASLR), 2003. http://pax.grsecurity.net/docs/aslr.txt.

[43]

A. Prakash, X. Hu, and H. Yin. vfGuard: Strict Protection for Virtual Function Calls in COTS C++ Binaries. In Proc. of NDSS, 2015.

[44]

Rafal Wojtczuk. TSX improves timing attacks against KASLR. https://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/.

[45]

T. Rains, M. Miller, and D. Weston. Exploitation Trends: From Potential Risk to Actual Risk. In RSA Conference, 2015.

[46]

P. V. Sabanal and M. V. Yason. Reversing C++. In BlackHat, 2007.

[47]

F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications. In Proc. of IEEE S&P, 2015.

Digital Library

[48]

F. Schuster, T. Tendyck, J. Pewny, A. Maaß, M. Steegmanns, M. Contag, and T. Holz. Evaluating the Effectiveness of Current Anti-ROP Defenses. In Proc. of RAID, pages 88--108, 2014.

[49]

K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. AddressSanitizer: A Fast Address Sanity Checker. In Proc. of USENIX ATC, pages 309--318, 2012.

Digital Library

[50]

A. Sotirov. Heap Feng Shui in JavaScript. In Blackhat 2007, 2007.

[51]

A. Tang, S. Sethumadhavan, and S. Stolfo. Heisenbyte: Thwarting memory disclosure attacks using destructive code reads. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, pages 256--267, New York, NY, USA, 2015. ACM.

Digital Library

[52]

[email protected]. C++ Object Model. http://lifegoo.pluskid.org/upload/doc/object_models/C++%20Object%20Model.pdf.

[53]

C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, U. Erlingsson, L. Lozano, and G. Pike. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM. In Proc. of USENIX SEC, pages 941--955, 2014.

Digital Library

[54]

V. van der Veen, D. Andriesse, E. Göktaş, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida. Practical Context-Sensitive CFI. In Proc. of ACM CCS, pages 927--940, 2015.

Digital Library

[55]

V. van der Veen, E. Göktaş, M. Contag, A. Pawloski, X. Chen, S. Rawat, H. Bos, T. Holz, E. Athanasopoulos, and C. Giuffrida. A Tough call: Mitigating Advanced Code-Reuse Attacks At The Binary Level. In Proc. of IEEE S&P, pages 934--953, May 2016.

[56]

R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code. In Proc. of ACM CCS, pages 157--168, 2012.

Digital Library

[57]

Y. Younan. FreeSentry: Protecting Against Use-After-Free Vulnerabilities Due to Dangling Pointers. In Proc. of NDSS, 2015.

[58]

C. Zhang, S. A. Carr, T. Li, Y. Ding, C. Song, M. Payer, and D. Song. VTrust: Regaining Trust on Virtual Calls. In Proc. of NDSS, 2016.

[59]

C. Zhang, C. Songz, K. Z. Chen, Z. Cheny, and D. Song. VTint: Protecting Virtual Function Tables' Integrity. In Proc. of NDSS, 2015.

[60]

C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical Control Flow Integrity & Randomization for Binary Executables. In Proc. of IEEE S&P, pages 559--573, 2013.

Digital Library

[61]

M. Zhang and R. Sekar. Control Flow Integrity for COTS Binaries. In Proc. of USENIX SEC, pages 337--352, 2013.

Digital Library

Cited By

Gui BSong WXiong HHuang J(2022)Automated Use-After-Free Detection and Exploit Mitigation: How Far Have We Gone?IEEE Transactions on Software Engineering10.1109/TSE.2021.312199448:11(4569-4589)Online publication date: 1-Nov-2022
https://doi.org/10.1109/TSE.2021.3121994
Grigoriadis CPapastergiou SKotzanikolaou PDouligeris CDionysiou AElias ABernsmed KMeland PKamm L(2021)Integrating and Validating Maritime Transport Security Services: Initial results from the CS4EU demonstratorProceedings of the 2021 Thirteenth International Conference on Contemporary Computing10.1145/3474124.3474213(371-377)Online publication date: 5-Aug-2021
https://dl.acm.org/doi/10.1145/3474124.3474213
Gui BSong WHuang JCadar CZhang X(2021)UAFSan: an object-identifier-based dynamic approach for detecting use-after-free vulnerabilitiesProceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3460319.3464835(309-321)Online publication date: 11-Jul-2021
https://dl.acm.org/doi/10.1145/3460319.3464835
Show More Cited By

Index Terms

VTPin: practical VTable hijacking protection for binaries
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Control-Flow Integrity: Precision, Security, and Performance

Memory corruption errors in C/C++ programs remain the most common source of security vulnerabilities in today’s systems. Control-flow hijacking attacks exploit memory corruption vulnerabilities to divert program execution away from the intended control ...
Control-Flow Hijacking: Are We Making Progress?
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Memory corruption errors in C/C++ programs remain the most common source of security vulnerabilities in today's systems. Over the last 10+ years the security community developed several defenses [4]. Data Execution Prevention (DEP) protects against code ...
Control-Flow Carrying Code
Asia CCS '19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

Control-Flow Integrity~(CFI) is an effective approach in mitigating control-flow hijacking attacks including code-reuse attacks. Most conventional CFI techniques use memory page protection mechanism, Data Execution Prevention~(DEP), as an underlying ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '16: Proceedings of the 32nd Annual Conference on Computer Security Applications

December 2016

614 pages

ISBN:9781450347716

DOI:10.1145/2991079

Conference Chair:
Stephen Schwab
USC Information Sciences Institute
,
Program Chairs:
Wil Robertson
Northeastern University
,
Davide Balzarotti
Eurecom

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ACSAC '16

Sponsor:

ACSA

ACSAC '16: 2016 Annual Computer Security Applications Conference

December 5 - 8, 2016

California, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
245
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gui BSong WXiong HHuang J(2022)Automated Use-After-Free Detection and Exploit Mitigation: How Far Have We Gone?IEEE Transactions on Software Engineering10.1109/TSE.2021.312199448:11(4569-4589)Online publication date: 1-Nov-2022
https://doi.org/10.1109/TSE.2021.3121994
Grigoriadis CPapastergiou SKotzanikolaou PDouligeris CDionysiou AElias ABernsmed KMeland PKamm L(2021)Integrating and Validating Maritime Transport Security Services: Initial results from the CS4EU demonstratorProceedings of the 2021 Thirteenth International Conference on Contemporary Computing10.1145/3474124.3474213(371-377)Online publication date: 5-Aug-2021
https://dl.acm.org/doi/10.1145/3474124.3474213
Gui BSong WHuang JCadar CZhang X(2021)UAFSan: an object-identifier-based dynamic approach for detecting use-after-free vulnerabilitiesProceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3460319.3464835(309-321)Online publication date: 11-Jul-2021
https://dl.acm.org/doi/10.1145/3460319.3464835
Li YWang MZhang CChen XYang SLiu YLigatti JOu XKatz JVigna G(2020)Finding Cracks in Shields: On the Security of Control Flow Integrity MechanismsProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417867(1821-1835)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417867
Erinfolami RPrakash ALigatti JOu XKatz JVigna G(2020)Devil is Virtual: Reversing Virtual Inheritance in C++ BinariesProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417251(133-148)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417251
Xu XGhaffarinia MWang WHamlen KLin ZHeninger NTraynor P(2019)CONFIRMProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361463(1805-1821)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361463
Liu BOlivier PRavindran B(2019)SlimGuardProceedings of the 20th International Middleware Conference10.1145/3361525.3361532(1-13)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3361525.3361532
Pawlowski Avan der Veen VAndriesse Dvan der Kouwe EHolz TGiuffrida CBos HBalenson D(2019)VPSProceedings of the 35th Annual Computer Security Applications Conference10.1145/3359789.3359797(97-112)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3359789.3359797
Zhang TLee DJung CBahar IHerlihy MWitchel ELebeck A(2019)BOGOProceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3297858.3304017(631-644)Online publication date: 4-Apr-2019
https://dl.acm.org/doi/10.1145/3297858.3304017
Pomonis MPetsios TKeromytis APolychronakis MKemerlis V(2019)Kernel Protection Against Just-In-Time Code ReuseACM Transactions on Privacy and Security10.1145/327759222:1(1-28)Online publication date: 4-Jan-2019
https://dl.acm.org/doi/10.1145/3277592
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents