MARX: Uncovering Class Hierarchies in C++ Programs

Pawlowski, Andre; Contag, Moritz; Veen, Victor van der; Ouwehand, Chris; Holz, Thorsten; Bos, Herbert; Αθανασόπουλος, Ηλίας; Giuffrida, Cristiano

doi:10.14722/ndss.2017.23096

Cited by 17 publications

(42 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A better way would be to improve the static analysis to only keep functions in the vtable that are actually used. For this to work correctly, our approach has to track the data flow of vtables precisely to identify all used functions and must be able to modify entries in the vtables to remove unused ones [29].…”

Section: Discussionmentioning

confidence: 99%

Towards Automated Application-Specific Software Stacks

Davidsson

Pawlowski

Holz

2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Software complexity has increased over the years. One common way to tackle this complexity during development is to encapsulate features into a shared library. This allows developers to reuse already implemented features instead of reimplementing them over and over again. However, not all features provided by a shared library are actually used by an application. As a result, an application using shared libraries loads unused code into memory, which an attacker can use to perform code-reuse and similar types of attacks. The same holds for applications written in a scripting language such as PHP or Ruby: The interpreter typically offers much more functionality than is actually required by the application and hence provides a larger overall attack surface.In this paper, we tackle this problem and propose a first step towards automated application-specific software stacks. We present a compiler extension capable of removing unneeded code from shared libraries and-with the help of domain knowledgealso capable of removing unused functionalities from an interpreter's code base during the compilation process. Our evaluation against a diverse set of real-world applications, among others Nginx, Lighttpd, and the PHP interpreter, removes on average 71.3% of the code in musl-libc, a popular libc implementation. The evaluation on web applications show that a tailored PHP interpreter can mitigate entire vulnerability classes, as is the case for OpenConf. We demonstrate the applicability of our debloating approach by creating an application-specific software stack for a Wordpress web application: we tailor the libc library to the Nginx web server and PHP interpreter, whereas the PHP interpreter is tailored to the Wordpress web application. In this real-world scenario, the code of the libc is decreased by 65.1% in total, thereby reducing the available code for code-reuse attacks.

show abstract

Section: Discussionmentioning

confidence: 99%

Towards Automated Application-Specific Software Stacks

Davidsson

Pawlowski

Holz

2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Eventually, the identified vtables are also used to identify and verify vcalls in the Virtual Callsite Identification phase. While the Vtable Identification static analysis is an improved and more exact version of Pawlowski et al [34] (finding vtables in .bss and GOT, considering indirect referencing of vtables), the other analyses are novel to . In the remainder of this section, we explain the details of our analysis approach.…”

Section: Analysis Approachmentioning

confidence: 99%

“…Compared to state-of-the-art binary-level analysis frameworks like Marx [34], our analysis identifies 26.5% more virtual callsites in SPEC CPU2017 and thus offers improved protection. induces geomean performance overhead of 9% for all C++ applications in SPEC CPU2017 and 11% for SPEC CPU2006, which is slightly more than Marx induces but with significantly better protection.…”

Section: Introductionmentioning

confidence: 98%

“…This approach allows us to prevent false positives from breaking the application as they do in existing work [22,24,36,44]. Additionally, while existing work [27][28][29]34] only considers directly referenced vtables, compilers also generate code that references vtables indirectly, e.g., through the Global Offset Table (GOT). can find all code locations that instantiate objects by writing the vtable, including objects with indirect vtable references.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

VPS

Pawlowski

Veen

Andriesse

et al. 2019

Proceedings of the 35th Annual Computer Security Applications Conference

Self Cite

View full text Add to dashboard Cite

Polymorphism and inheritance make C++ suitable for writing complex software, but significantly increase the attack surface because the implementation relies on virtual function tables (vtables). These vtables contain function pointers that attackers can potentially hijack and in practice, vtable hijacking is one of the most important attack vector for C++ binaries. In this paper, we present VTable Pointer Separation (), a practical binary-level defense against vtable hijacking in C++ applications. Unlike previous binary-level defenses, which rely on unsound static analyses to match classes to virtual callsites, achieves a more accurate protection by restricting virtual callsites to validly created objects. More specifically, ensures that virtual callsites can only use objects created at valid object construction sites, and only if those objects can reach the callsite. Moreover, explicitly prevents false positives (falsely identified virtual callsites) from breaking the binary, an issue existing work does not handle correctly or at all. We evaluate the prototype implementation of on a diverse set of complex, real-world applications (MongoDB, MySQL server, Node.js, SPEC CPU2017/CPU2006), showing that our approach protects on average 97.8% of all virtual callsites in SPEC CPU2006 and 97.4% in SPEC CPU2017 (all C++ benchmarks), with a moderate performance overhead of 11% and 9% geomean, respectively. Furthermore, our evaluation reveals 86 false negatives in VTV, a popular source-based defense which is part of GCC.

show abstract

“…Like Type-After-Type, Cling [2] offers type-safe memory reuse, but with important differences. First, it does not at all support the stack, leaving software vulnerable to widespread temporal stack vulnerabilities (and this is also the case for more recent variants focusing only on heap C++ objects [35]). Second, it is more limited in the detection of types and wrappers.…”

Section: Related Workmentioning

confidence: 99%

Type-After-Type

Kouwe

Kroes

Ouwehand

et al. 2018

Proceedings of the 34th Annual Computer Security Applications Conference

Self Cite

View full text Add to dashboard Cite

Temporal memory errors, such as use-after-free bugs, are increasingly popular among attackers and their exploitation is hard to stop efficiently using current techniques. We present a new design, called Type-After-Type, which builds on abstractions in production allocators to provide complete temporal type safety for C/C++ programs-ensuring that memory reuse is always type safe-and efficiently hinder temporal memory attacks. Type-After-Type uses static analysis to determine the types of all heap and stack allocations, and replaces regular allocations with typed allocations that never reuse memory previously used by other types. On the heap, Type-After-Type splits available memory into separate pools for each type. For the stack, Type-After-Type efficiently implements type-safe memory reuse for the first time, pushing variables on separate stacks according to their types, unless they are provably safe (e.g., their address is not taken), in which case they are zeroinitialized and kept on a special stack. In our evaluation, we show that Type-After-Type stops a variety of real-world temporal memory attacks and on SPEC CPU2006 incurs a performance overhead of 4.3% and a memory overhead of 17.4% (geomean).

show abstract

MARX: Uncovering Class Hierarchies in C++ Programs

Cited by 17 publications

References 14 publications

Towards Automated Application-Specific Software Stacks

Towards Automated Application-Specific Software Stacks

VPS

Type-After-Type

Contact Info

Product

Resources

About