Towards automated integrity protection of C++ virtual function tables in binary programs

Web browsers are one of the most used, complex, and popular software systems nowadays. They are prone to dangling pointers that result in use-after-free vulnerabilites and this is the de-facto way to exploit them. From a technical point of view, an attacker uses a technique called vtable hijacking to exploit such bugs. More specifically, she crafts bogus virtual tables and lets a freed C++ object point to it in order to gain control over the program at virtual function call sites. In this paper, we present a novel approach towards mitigating and detecting such attacks against C++ binary code. We propose a static binary analysis technique to extract virtual function call site information in an automated way. Leveraging this information, we instrument the given binary executable and add runtime policy enforcements to thwart the illegal usage of these call sites. We implemented the proposed techniques in a prototype called T-VIP and successfully hardened three versions of Microsoft's Internet Explorer and Mozilla Firefox. An evaluation with several zero-day exploits demonstrates that our method prevents all of them. Performance benchmarks both on micro and macro level indicate that the overhead is reasonable with about 2.2%, which is only slightly higher compared to recent compiler-based approaches that address this problem.

• Publication year

  2014

• Venue

  Asia-Pacific Computer Systems Architecture Conference

• Publication date

  2014-12-08

• Fields of study

  Computer Science

• Identifiers
  DOI 10.1145/2664243.2664249
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Out of Control: Overcoming Control-Flow Integrity

  2014cited by this paper
• Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis

  2014cited by this paper
• SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks

  2014cited by this paper
• Eternal War in Memory

  2014cited by this paper
• Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM

  2014influential reference
• Control Flow Integrity for COTS Binaries

  2013cited by this paper
• Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization

  2013cited by this paper
• Practical Control Flow Integrity and Randomization for Binary Executables

  2013cited by this paper
• SoK: Eternal War in Memory

  2013cited by this paper
• Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization

  2012cited by this paper
• A vocabulary of program slicing-based techniques

  2012cited by this paper
• Binary stirring: self-randomizing instruction addresses of legacy x86 binary code

  2012cited by this paper
• Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities

  2012cited by this paper
• BAP: A Binary Analysis Platform

  2011cited by this paper
• Retrofitting Security in COTS Software with Binary Rewriting

  2011cited by this paper
• Jump-oriented programming: a new class of code-reuse attack

  2011cited by this paper
• Cling: A Memory Allocator to Mitigate Dangling Pointers

  2010cited by this paper
• Return-oriented programming without returns

  2010cited by this paper
• DieHarder: securing the heap

  2010cited by this paper
• REIL: A platform-independent intermediate representation of disassembled code for static code analysis

  2009cited by this paper
• Surgically Returning to Randomized lib(c)

  2009cited by this paper
• Engineering Heap Overflow Exploits with JavaScript

  2008cited by this paper
• The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)

  2007cited by this paper
• Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software

  2006cited by this paper
• DieHard: probabilistic memory safety for unsafe languages

  2006cited by this paper
• Randomized instruction set emulation

  2005cited by this paper
• Pin: building customized program analysis tools with dynamic instrumentation

  2005cited by this paper
• Control-flow integrity

  2005influential reference
• A survey of empirical results on program slicing

  2004cited by this paper
• Disassembly of executable code revisited

  2002cited by this paper
• Vulcan Binary transformation in a distributed environment

  2001cited by this paper
• An on-the-fly reference counting garbage collector for Java

  2001cited by this paper
• Dynamo: a transparent dynamic optimization system

  2000cited by this paper
• Design and implementation of a dynamic optimization framework for windows

  2000cited by this paper
• ROSE: Compiler Support for Object-Oriented Frameworks

  1999cited by this paper
• One-bit counts between unique and sticky

  1998cited by this paper
• Amorphous program slicing

  1997cited by this paper
• The direct cost of virtual function calls in C++

  1996cited by this paper
• Dynamo

  1980cited by this paper
• Conclusion

  1969cited by this paper

• ARM MTE Performance in Practice (Extended Version)

  2026cites this paper
• SoK: Integrity, Attestation, and Auditing of Program Execution

  2025cites this paper
• HOBBIT: Hashed OBject Based InTegrity

  2024cites this paper
• SoK: Runtime Integrity

  2024cites this paper
• WarpAttack: Bypassing CFI through Compiler-Introduced Double-Fetches

  2023cites this paper
• Accelerating Type Confusion Detection by Identifying Harmless Type Castings

  2023cites this paper
• R2C: AOCR-Resilient Diversity with Reactive and Reflective Camouflage

  2023cites this paper
• FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch Tracking

  2023influential citation
• Tetris: Automatic UAF Exploit Generation by Manipulating Layout based on Reactivated Paths

  2022cites this paper
• Automated Use-After-Free Detection and Exploit Mitigation: How Far Have We Gone?

  2022cites this paper
• CloudImmu: Transparent Protection of Binary Applications in the Cloud

  2021cites this paper
• UAFSan: an object-identifier-based dynamic approach for detecting use-after-free vulnerabilities

  2021cites this paper
• Code Specialization through Dynamic Feature Observation

  2021cites this paper
• Program Obfuscation via ABI Debiasing

  2021cites this paper
• POP and PUSH: Demystifying and Defending against (Mach) Port-oriented Programming

  2021cites this paper
• NoVT: Eliminating C++ Virtual Calls to Mitigate Vtable Hijacking

  2021influential citation
• Finding Cracks in Shields: On the Security of Control Flow Integrity Mechanisms

  2020cites this paper
• Devil is Virtual: Reversing Virtual Inheritance in C++ Binaries

  2020influential citation
• A survey on attack vectors in stack cache memory

  2020cites this paper
• On Design Inference from Binaries Compiled using Modern C++ Defenses

  2019cites this paper
• VPS: excavating high-level C++ constructs from low-level binaries to protect dynamic dispatching

  2019cites this paper
• C R ] 1 M ar 2 01 9 FRAMER : A Software-based Capability Model 1

  2019cites this paper
• Multilayer ROP Protection Via Microarchitectural Units Available in Commodity Hardware

  2019cites this paper
• CONFIRM: Evaluating Compatibility and Relevance of Control-flow Integrity Protections for Modern Software

  2019influential citation
• FRAMER: a tagged-pointer capability system with memory safety applications

  2019cites this paper
• Layered Object-Oriented Programming: Advanced VTable Reuse Attacks on Binary-Level Defense

  2019influential citation
• Advanced code reuse attacks against modern defences

  2019influential citation
• DeClassifier: Class-Inheritance Inference Engine for Optimized C++ Binaries

  2019cites this paper
• FRAMER: A Software-based Capability Model.

  2019cites this paper
• Towards Interface-Driven COTS Binary Hardening

  2018cites this paper
• Preface

  2018cites this paper
• CFIXX: Object Type Integrity for C++.

  2018cites this paper
• CFIXX: Object Type Integrity for C++

  2018cites this paper
• CFIXX : Object Type Integrity for C + + Virtual

  2018cites this paper
• UFO: Predictive Concurrency Use-After-Free Detection

  2018cites this paper
• An Exploratory Analysis of Microcode as a Building Block for System Defenses

  2018cites this paper
• FRAMER: A Cache-friendly Software-based Capability Model

  2018cites this paper
• Hardware control flow integrity

  2018cites this paper
• Protecting dynamic code

  2018cites this paper
• A Tough call : Mitigating Code-Reuse Attacks On The Binary Level

  2018cites this paper
• Evaluating control-flow restricting defenses

  2018cites this paper
• How memory safety violations enable exploitation of programs

  2018cites this paper
• Attacking dynamic code

  2018cites this paper
• Multi-variant execution environments

  2018cites this paper
• Diversity and information leaks

  2018cites this paper
• Protection from Within: Runtime Hardening Techniques for COTS Binaries

  2017cites this paper
• Venerable Variadic Vulnerabilities Vanquished

  2017cites this paper
• Analyzing and securing binaries through static disassembly

  2017cites this paper
• Boosting the precision of virtual call integrity protection with partial pointer analysis for C++

  2017cites this paper
• Introspective Intrusion Detection

  2017cites this paper
• A Formal Model for an Ideal CFI

  2017cites this paper
• Strict Virtual Call Integrity Checking for C++ Binaries

  2017influential citation
• MARX: Uncovering Class Hierarchies in C++ Programs

  2017cites this paper
• DROP THE ROP Fine-grained Control-flow Integrity for the Linux Kernel

  2017cites this paper
• Control-Flow Integrity

  2017cites this paper
• CFIXX : Object Type Integrity for C + + Virtual Dispatch

  2017cites this paper
• SAVI objects: sharing and virtuality incorporated

  2017cites this paper
• Objects : Sharing and Virtuality Incorporated

  2017cites this paper
• Object Flow Integrity

  2017cites this paper
• Supplementing Modern Software Defenses with Stack-Pointer Sanity

  2017cites this paper
• Mitigating Use-After-Free Attacks Using Memory-Reuse-Prohibited Library

  2017cites this paper
• VTPin: Protecting Legacy Software from VTable Hijacking

  2016influential citation
• HCFI: Hardware-enforced Control-Flow Integrity

  2016cites this paper
• An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries

  2016cites this paper
• VTPin: practical VTable hijacking protection for binaries

  2016influential citation
• VTrust: Regaining Trust on Virtual Calls

  2016influential citation
• Repackage-Proofing Android Apps

  2016cites this paper
• A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level

  2016cites this paper
• HeapRevolver: Delaying and Randomizing Timing of Release of Freed Memory Area to Prevent Use-After-Free Attacks

  2016cites this paper
• Detile: Fine-Grained Information Leak Detection in Script Engines

  2016cites this paper
• Automatic Contract Insertion with CCBot

  2016cites this paper
• Return to Where? You Can't Exploit What You Can't Find

  2015cites this paper
• Readactor: Practical Code Randomization Resilient to Memory Disclosure

  2015cites this paper
• Building Control-Flow Integrity Defenses

  2015cites this paper
• DR AF T VTrust : Regaining Trust on Virtual Calls

  2015influential citation
• Building Secure Defenses Against Code-Reuse Attacks

  2015cites this paper
• Securing Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future?

  2015cites this paper
• A Principled Approach for ROP Defense

  2015cites this paper
• Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications

  2015cites this paper
• It's a TRaP: Table Randomization and Protection against Function-Reuse Attacks

  2015cites this paper
• vfGuard: Strict Protection for Virtual Function Calls in COTS C++ Binaries

  2015cites this paper
• Enhancing and Extending Software Diversity

  2015cites this paper
• Code-pointer integrity

  2014cites this paper
• NOPoutNG: Improving the Effectiveness of Hardware-assisted Control-flow Integrity via Dynamic Landing Pad Elision

  year unknowncites this paper