Layered Object-Oriented Programming: Advanced VTable Reuse Attacks on Binary-Level Defense

Vtable reuse attack, as a novel type of code reuse attacks, is introduced to bypass most binary-level control flow integrity enforcement and vtable integrity enforcement. So far, two binary-level defenses (TypeArmor and vfGuard) are proposed to defend against vtable reuse attacks. Both techniques use semantic information as the control flow integrity enforcement policy, i.e., TypeArmor and vfGuard utilize argument register count and dispatch offset at virtual callsite as the signature to check the validity of target functions, respectively. In this paper, we propose layered object-oriented programming (LOOP), an advanced vtable reuse attack, to show that the coarse-grained control flow integrity strategies are still vulnerable to vtable reuse attacks. In LOOP, we introduce argument expansion gadgets and transfer gadgets to, respectively, bypass TypeArmor and vfGuard. We generalize the characteristics of both gadgets and develop a tool to discover them at the binary level. We demonstrated that under the protection of TypeArmor and vfGuard, Firefox, Adobe Flash Player, and Internet Explorer are all vulnerable to LOOP attacks. Furthermore, we show the availability of argument expansion gadgets and transfer gadgets in common software or libraries.

• Publication year

  2019

• Venue

  IEEE Transactions on Information Forensics and Security

• Publication date

  2019-03-01

• Fields of study

  Computer Science

• Identifiers
  DOI 10.1109/TIFS.2018.2855648
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• CFIXX: Object Type Integrity for C++

  2018cited by this paper
• MARX: Uncovering Class Hierarchies in C++ Programs

  2017influential reference
• Strict Virtual Call Integrity Checking for C++ Binaries

  2017influential reference
• CodeArmor: Virtualizing the Code Space to Counter Disclosure Attacks

  2017cited by this paper
• The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later

  2017cited by this paper
• A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level

  2016influential reference
• Protecting C++ Dynamic Dispatch Through VTable Interleaving

  2016cited by this paper
• Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks

  2016cited by this paper
• VTrust: Regaining Trust on Virtual Calls

  2016cited by this paper
• No-Execute-After-Read: Preventing Code Disclosure in Commodity Software

  2016cited by this paper
• Enforcing Kernel Security Invariants with Data Flow Integrity.

  2016cited by this paper
• VTPin: practical VTable hijacking protection for binaries

  2016cited by this paper
• vfGuard: Strict Protection for Virtual Function Calls in COTS C++ Binaries

  2015influential reference
• Readactor: Practical Code Randomization Resilient to Memory Disclosure

  2015cited by this paper
• Heisenbyte: Thwarting Memory Disclosure Attacks using Destructive Code Reads

  2015cited by this paper
• Practical Context-Sensitive CFI

  2015cited by this paper
• VTint: Protecting Virtual Function Tables' Integrity

  2015influential reference
• Control-Flow Bending: On the Effectiveness of Control-Flow Integrity

  2015cited by this paper
• Opaque Control-Flow Integrity

  2015cited by this paper
• Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity

  2015cited by this paper
• Per-Input Control-Flow Integrity

  2015cited by this paper
• It's a TRaP: Table Randomization and Protection against Function-Reuse Attacks

  2015cited by this paper
• Timely Rerandomization for Mitigating Memory Disclosures

  2015cited by this paper
• Fine-Grained Control-Flow Integrity Through Binary Hardening

  2015cited by this paper
• Automatic Generation of Data-Oriented Exploits

  2015cited by this paper
• Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications

  2015cited by this paper
• Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming

  2015cited by this paper
• CCFI: Cryptographically Enforced Control Flow Integrity

  2015cited by this paper
• Cryptographically Enforced Control Flow Integrity

  2014cited by this paper
• Towards automated integrity protection of C++ virtual function tables in binary programs

  2014influential reference
• Code-pointer integrity

  2014influential reference
• ROP is Still Dangerous: Breaking Modern Defenses

  2014influential reference
• Modular control-flow integrity

  2014cited by this paper
• SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks

  2014cited by this paper
• Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection

  2014cited by this paper
• Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM

  2014cited by this paper
• Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing

  2014cited by this paper
• Out of Control: Overcoming Control-Flow Integrity

  2014cited by this paper
• Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization

  2013cited by this paper
• Practical Control Flow Integrity and Randomization for Binary Executables

  2013influential reference
• kBouncer : Efficient and Transparent ROP Mitigation

  2012cited by this paper
• XIFER: A Software Diversity Tool Against Code-Reuse Attacks

  2012cited by this paper
• Binary stirring: self-randomizing instruction addresses of legacy x86 binary code

  2012influential reference
• Return-Oriented Programming

  2012influential reference
• On the Expressiveness of Return-into-libc Attacks

  2011cited by this paper
• Jump-oriented programming: a new class of code-reuse attack

  2011cited by this paper
• Q: Exploit Hardening Made Easy

  2011cited by this paper
• Cling: A Memory Allocator to Mitigate Dangling Pointers

  2010cited by this paper
• G-Free: defeating return-oriented programming through gadget-less binaries

  2010cited by this paper
• Preventing Memory Error Exploits with WIT

  2008cited by this paper
• Securing software by enforcing data-flow integrity

  2006cited by this paper
• Control-flow integrity

  2005cited by this paper
• Non-Control-Data Attacks Are Realistic Threats

  2005cited by this paper
• CCured: type-safe retrofitting of legacy code

  2002cited by this paper
• Cyclone: A Safe Dialect of C

  2002cited by this paper
• Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis

  1995cited by this paper

• Link-Time Optimization of Dynamic Casts in C++ Programs

  2025cites this paper
• Characterizing usages, updates and risks of third-party libraries in Java projects

  2022cites this paper
• MProbe: Make the code probing meaningless

  2022cites this paper
• Stack-based Buffer Overflow Detection using Recurrent Neural Networks

  2020cites this paper
• An Empirical Study of Usages, Updates and Risks of Third-Party Libraries in Java Projects

  2020cites this paper
• Survey of Methods for Automated Code-Reuse Exploit Generation

  2020cites this paper
• Formal modelling of a sheet metal smart manufacturing system by using Petri nets and first-order predicate logic

  2020cites this paper
• 2019 Index IEEE Transactions on Information Forensics and Security Vol. 14

  2019cites this paper