Java Type Confusion and Fault Attacks

Vertanen, Olli

doi:10.1007/11889700_21

Cited by 10 publications

(9 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Because the attacker has overwritten the vtable pointer in the freed object, this method call will jump to an address of the attacker's choosing, as specified by their counterfeit vtable. Exploiting such use-after-free errors is just one way to launch vtable hijakcing attacks, others include traditional buffer overflows on the stack or the heap [4] and type confusion [5], [6] attacks. Unfortunately, such vtable hijacking attacks are no longer merely a hypothetical threat [7], [8].…”

Section: Introductionmentioning

confidence: 99%

SAFEDISPATCH: Securing C++ Virtual Calls from Memory Corruption Attacks

Jang

Tatlock

Lerner

2014

Proceedings 2014 Network and Distributed System Security Symposium

103

View full text Add to dashboard Cite

Abstract-Several defenses have increased the cost of traditional, low-level attacks that corrupt control data, e.g. return addresses saved on the stack, to compromise program execution. In response, creative adversaries have begun circumventing these defenses by exploiting programming errors to manipulate pointers to virtual tables, or vtables, of C++ objects. These attacks can hijack program control flow whenever a virtual method of a corrupted object is called, potentially allowing the attacker to gain complete control of the underlying system. In this paper we present SAFEDISPATCH, a novel defense to prevent such vtable hijacking by statically analyzing C++ programs and inserting sufficient runtime checks to ensure that control flow at virtual method call sites cannot be arbitrarily influenced by an attacker. We implemented SAFEDISPATCH as a Clang++/LLVM extension, used our enhanced compiler to build a vtable-safe version of the Google Chromium browser, and measured the performance overhead of our approach on popular browser benchmark suites. By carefully crafting a handful of optimizations, we were able to reduce average runtime overhead to just 2.1%.

show abstract

Section: Introductionmentioning

confidence: 99%

SAFEDISPATCH: Securing C++ Virtual Calls from Memory Corruption Attacks

Jang

Tatlock

Lerner

2014

Proceedings 2014 Network and Distributed System Security Symposium

103

View full text Add to dashboard Cite

show abstract

“…To be able to execute Java applets, the VM uses internal data structures, such as the OS or the LV, to store interim results of logical and combinatorial operations. All of these internal data structures are general objects for adversaries that attack the Java Card [4,20,24]. For every method invocation performed by the VM, a new Java frame [19] is created.…”

Section: Java Card Virtual Machinementioning

confidence: 99%

“…This influence is abused by an FA to change the normal control and data flow of the integrated circuit. Such FAs include glitch attacks on the power supply and laser attacks on the cards [2,24]. By performing side-channel analyses and FAs in combination, it is possible to break cryptographic algorithms to receive secret data or keys [16].…”

Section: Attacks On Java Cardsmentioning

confidence: 99%

See 1 more Smart Citation

A Defensive Virtual Machine Layer to Counteract Fault Attacks on Java Cards

Lackner

Berlach

Raschke

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. The objective of Java Cards is to protect security-critical code and data against a hostile environment. Adversaries perform fault attacks on these cards to change the control and data flow of the Java Card Virtual Machine. These attacks confuse the Java type system, jump to forbidden code or remove run-time security checks. This work introduces a novel security layer for a defensive Java Card Virtual Machine to counteract fault attacks. The advantages of this layer from the security and design perspectives of the virtual machine are demonstrated. In a case study, we demonstrate three implementations of the abstraction layer running on a Java Card prototype. Two implementations use software checks that are optimized for either memory consumption or execution speed. The third implementation accelerates the run-time verification process by using the dedicated hardware protection units of the Java Card.

show abstract

“…Another way [8,9] is to trick the virtual machine to handle an object as an array. Hence, fields from a forged object can be seen as length of the array if they are stored at the same offset in the physical memory.…”

Section: Logical Attackmentioning

confidence: 99%

Developing a Trojan applets in a smart card

Iguchi-Cartigny

Lanet

2009

J Comput Virol

View full text Add to dashboard Cite

This paper presents a method to inject a mutable Java Card applet into a smart card. This code can on demand parse the memory in order to search for a given pattern and eliminate it. One of these key features is to bypass security checks or retrieve secret data from other applets. We evaluate the countermeasures against this attack and we show how some of them can be circumvented and we propose to combine this attack with others already known.

show abstract

Java Type Confusion and Fault Attacks

Cited by 10 publications

References 19 publications

SAFEDISPATCH: Securing C++ Virtual Calls from Memory Corruption Attacks

SAFEDISPATCH: Securing C++ Virtual Calls from Memory Corruption Attacks

A Defensive Virtual Machine Layer to Counteract Fault Attacks on Java Cards

Developing a Trojan applets in a smart card

Contact Info

Product

Resources

About