Article

Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications

Authors:

Felix Schuster,

Thomas Tendyck,

Christopher Liebchen,

Lucas Davi,

Ahmad-Reza Sadeghi,

Thorsten HolzAuthors Info & Claims

SP '15: Proceedings of the 2015 IEEE Symposium on Security and Privacy

Pages 745 - 762

https://doi.org/10.1109/SP.2015.51

Published: 17 May 2015 Publication History

Abstract

Code reuse attacks such as return-oriented programming (ROP) have become prevalent techniques to exploit memory corruption vulnerabilities in software programs. A variety of corresponding defenses has been proposed, of which some have already been successfully bypassed -- and the arms race continues. In this paper, we perform a systematic assessment of recently proposed CFI solutions and other defenses against code reuse attacks in the context of C++. We demonstrate that many of these defenses that do not consider object-oriented C++ semantics precisely can be generically bypassed in practice. Our novel attack technique, denoted as counterfeit object-oriented programming (COOP), induces malicious program behavior by only invoking chains of existing C++ virtual functions in a program through corresponding existing call sites. COOP is Turing complete in realistic attack scenarios and we show its viability by developing sophisticated, real-world exploits for Internet Explorer 10 on Windows and Fire fox 36 on Linux. Moreover, we show that even recently proposed defenses (CPS, T-VIP, vfGuard, and VTint) that specifically target C++ are vulnerable to COOP. We observe that constructing defenses resilient to COOP that do not require access to source code seems to be challenging. We believe that our investigation and results are helpful contributions to the design and implementation of future defenses against control flow hijacking attacks.

Cited By

View all

Chang ZLin JSun HLi RWang YHu BZhao XJiang DSun NWang S(2024)Chaos: Function Granularity Runtime Address Layout Space Randomization for Kernel ModuleProceedings of the 15th ACM SIGOPS Asia-Pacific Workshop on Systems10.1145/3678015.3680476(23-30)Online publication date: 4-Sep-2024
https://dl.acm.org/doi/10.1145/3678015.3680476
Thomas SWorkneh KMcCarty JIzraelevitz JLehman TBahar RTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)A Midsummer Night’s Tree: Efficient and High Performance Secure SCMProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651354(22-37)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651354
Ismail MJelesnianski CJang YMin CXiong WTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Enforcing C/C++ Type and Scope at Runtime for Control-Flow and Data-Flow IntegrityProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651342(283-300)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651342
Show More Cited By

Recommendations

LMP: light-weighted memory protection with hardware assistance
ACSAC '16: Proceedings of the 32nd Annual Conference on Computer Security Applications

Despite a long history and numerous proposed defenses, memory corruption attacks are still viable. A secure and low-overhead defense against return-oriented programming (ROP) continues to elude the security community. Currently proposed solutions still ...
Return-Oriented Programming

Attackers able to compromise the memory of a target machine can change its behavior and usually gain complete control over it. Despite the ingenious prevention and protection mechanisms that have been implemented in modern operating systems, memory ...
Analyzing the Gadgets
ESSoS 2016: Proceedings of the 8th International Symposium on Engineering Secure Software and Systems - Volume 9639

Current low-level exploits often rely on code-reuse, whereby short sections of code gadgets are chained together into a coherent exploit that can be executed without the need to inject any code. Several protection mechanisms attempt to eliminate this ...

Comments

Information & Contributors

Information

Published In

SP '15: Proceedings of the 2015 IEEE Symposium on Security and Privacy

May 2015

923 pages

ISBN:9781467369497

Publisher

IEEE Computer Society

United States

Publication History

Published: 17 May 2015

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

100
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Chang ZLin JSun HLi RWang YHu BZhao XJiang DSun NWang S(2024)Chaos: Function Granularity Runtime Address Layout Space Randomization for Kernel ModuleProceedings of the 15th ACM SIGOPS Asia-Pacific Workshop on Systems10.1145/3678015.3680476(23-30)Online publication date: 4-Sep-2024
https://dl.acm.org/doi/10.1145/3678015.3680476
Thomas SWorkneh KMcCarty JIzraelevitz JLehman TBahar RTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)A Midsummer Night’s Tree: Efficient and High Performance Secure SCMProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651354(22-37)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651354
Ismail MJelesnianski CJang YMin CXiong WTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Enforcing C/C++ Type and Scope at Runtime for Control-Flow and Data-Flow IntegrityProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651342(283-300)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651342
She CLi JChen LShi G(2024)SCFIComputers and Security10.1016/j.cose.2024.103800140:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103800
Wang RChen KZhang CPan ZLi QQin SXu SZhang MLi YCalandrino JTroncoso C(2023)AlphaEXPProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620474(4229-4246)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620474
Ahmed SLiljestrand HJamjoom HHicks MAsokan NYao DCalandrino JTroncoso C(2023)Not all data are created equalProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620318(1433-1450)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620318
Zhang QZhou CXu YYin ZWang MSu ZSun CJiang YSun J(2023)Building Dynamic System Call Sandbox with Partial Order AnalysisProceedings of the ACM on Programming Languages10.1145/36228427:OOPSLA2(1253-1280)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3622842
Wang XHui TZhao LCheng YChandra SBlincoe KTonella P(2023)Input-Driven Dynamic Program Debloating for Code-Reuse Attack MitigationProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616274(934-946)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616274
Bauman EDuan JHamlen KLin Z(2023)Renewable Just-In-Time Control-Flow IntegrityProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607239(580-594)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607239
Gaidis AMoreira JSun KMilburn AAtlidakis VKemerlis V(2023)FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch TrackingProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607219(527-546)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607219
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

Cited By

Recommendations

LMP: light-weighted memory protection with hardware assistance

Return-Oriented Programming

Analyzing the Gadgets

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations