Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications

Schuster, Félix; Tendyck, Thomas; Liebchen, Christopher; Davi, Lucas; Sadeghi, Ahmad-Reza; Holz, Thorsten

doi:10.1109/sp.2015.51

Cited by 255 publications

(191 citation statements)

References 34 publications

Supporting

Mentioning

191

Contrasting

Order By: Relevance

“…The COOP (Counterfeit Object-oriented Programming) attack proposed by Schuster et.al. [28] introduces a specific type of VTable reuse attack. By stitching several virtual functions, attackers may execute arbitrary code.…”

Section: B Attack Surfacementioning

confidence: 99%

“…Modern compilers place VTables in read-only sections, defeating VTable corruption attacks by default. But VTable injection attacks are still one of the most popular attacks, and VTable reuse attacks are also practical and hard to defeat [28].…”

Section: Introductionmentioning

confidence: 99%

“…VTint [27] uses binary rewriting to protect the integrity of VTables, and blocks corrupted or injected VTables from being used, but fails to protect against VTable reuse attacks. The research paper COOP [28] shows that VTable reuse attacks are practical and even Turing-complete in real applications. Illustration of VTrust's overall defense.…”

Section: Introductionmentioning

confidence: 99%

“…It introduces a very low performance overhead, e.g., 0.31% for Firefox and 0.72% for SPEC2006. It is able to defeat all VTable reuse attacks, including the COOP attack [28]. It is also able to defeat all VTable injection attacks, if target applications do not have writable code (e.g., dynamically generated code).…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

VTrust: Regaining Trust on Virtual Calls

Zhang¹,

Song²,

Carr³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-Virtual function calls are one of the most popular control-flow hijack attack targets. Compilers use a virtual function pointer table, called a VTable, to dynamically dispatch virtual function calls. These VTables are read-only, but pointers to them are not. VTable pointers reside in objects that are writable, allowing attackers to overwrite them. As a result, attackers can divert the control-flow of virtual function calls and launch VTable hijacking attacks. Researchers have proposed several solutions to protect virtual calls. However, they either incur high performance overhead or fail to defeat some VTable hijacking attacks.In this paper, we propose a lightweight defense solution, VTrust, to protect all virtual function calls from VTable hijacking attacks. It consists of two independent layers of defenses: virtual function type enforcement and VTable pointer sanitization. Combined with modern compilers' default configuration, i.e., placing VTables in read-only memory, VTrust can defeat all VTable hijacking attacks and supports modularity, allowing us to harden applications module by module. We have implemented a prototype on the LLVM compiler framework. Our experiments show that this solution only introduces a low performance overhead, and it defeats real world VTable hijacking attacks.

show abstract

Section: B Attack Surfacementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

VTrust: Regaining Trust on Virtual Calls

Zhang¹,

Song²,

Carr³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…It's a software-based approach to detect attacks. Recently Schuster et al [2] came up with a new type of attack, called counterfeit object-oriented programming (COOP).…”

Section: Related Workmentioning

confidence: 99%

Hardware-Assisted System for Program Execution Security of SOC

et al. 2016

View full text Add to dashboard Cite

Abstract. With the rapid development of embedded systems, the systems' security has become more and more important. Most embedded systems are at the risk of series of software attacks, such as buffer overflow attack, Trojan virus. In addition, with the rapid growth in the number of embedded systems and wide application, followed embedded hardware attacks are also increasing. This paper presents a new hardware assisted security mechanism to protect the program's code and data, monitoring its normal execution. The mechanism mainly monitors three types of information: the start/end address of the program of basic blocks; the lightweight hash value in basic blocks and address of the next basic block. These parameters are extracted through additional tools running on PC. The information will be stored in the security module. During normal program execution, the security module is designed to compare the real-time state of program with the information in the security module. If abnormal, it will trigger the appropriate security response, suspend the program and jump to the specified location. The module has been tested and validated on the SOPC with OR1200 processor. The experimental analysis shows that the proposed mechanism can defence a wide range of common software and physical attacks with low performance penalties and minimal overheads.

show abstract