Protecting C++ Dynamic Dispatch Through VTable Interleaving

Bounov, Dimitar; Kıcı, Rami Gökhan; Lerner, Sorin

doi:10.14722/ndss.2016.23421

Cited by 46 publications

(44 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…CFI mechanisms work by using static analysis to create an over approximation of the control-flow graph (CFG), and then enforce at runtime that all transitions must be within the statically computed CFG. After the initial proposal, follow on research has removed the need for whole program analysis [57], [58], and specialized CFI to use additional information in C++ programs when protecting virtual calls [59], [60]. To improve the precision of the CFG construction underlying CFI, more advanced static analysis techniques have been proposed [61].…”

Section: Related Workmentioning

confidence: 99%

SoK: Shining Light on Shadow Stacks

Burow¹,

Zhang²,

Payer³

2019

2019 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Control-Flow Hijacking attacks are the dominant attack vector against C/C++ programs. Control-Flow Integrity (CFI) solutions mitigate these attacks on the forward edge, i.e., indirect calls through function pointers and virtual calls. Protecting the backward edge is left to stack canaries, which are easily bypassed through information leaks. Shadow Stacks are a fully precise mechanism for protecting backwards edges, and should be deployed with CFI mitigations.We present a comprehensive analysis of all possible shadow stack mechanisms along three axes: performance, compatibility, and security. For performance comparisons we use SPEC CPU2006, while security and compatibility are qualitatively analyzed. Based on our study, we renew calls for a shadow stack design that leverages a dedicated register, resulting in low performance overhead, and minimal memory overhead, but sacrifices compatibility. We present case studies of our implementation of such a design, Shadesmar, on Phoronix and Apache to demonstrate the feasibility of dedicating a general purpose register to a security monitor on modern architectures, and Shadesmar's deployability. Our comprehensive analysis, including detailed case studies for our novel design, allows compiler designers and practitioners to select the correct shadow stack design for different usage scenarios.Shadow stacks belong to the class of defense mechanisms that require metadata about the program's state to enforce their defense policies. Protecting this metadata for deployed mitigations requires in-process isolation of a segment of the virtual address space. Prior work on defenses in this class has relied on information hiding to protect metadata. We show that stronger guarantees are possible by repurposing two new Intel x86 extensions for memory protection (MPX), and page table control (MPK). Building on our isolation efforts with MPX and MPK, we present the design requirements for a dedicated hardware mechanism to support intra-process memory isolation, and discuss how such a mechanism can empower the next wave of highly precise software security mitigations that rely on partially isolated information in a process.

show abstract

Section: Related Workmentioning

confidence: 99%

SoK: Shining Light on Shadow Stacks

Burow¹,

Zhang²,

Payer³

2019

2019 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…A lot of work has been done on security implications of how dynamic dispatch is implemented [Borchert and Spinczyk 2016;Bounov et al 2016;Dewey and Giffin 2012;Elsabagh et al 2017;Gawlik and Holz 2014;Haller et al 2015;Jang et al 2014;Miller et al 2014;Prakash et al 2015;Sarbinowski et al 2016;Tice et al 2014;Zhang et al , 2016Zixiang et al 2016]. Our work is concerned with object sharing, but security implications would be interesting to study.…”

Section: Implementations Of Dynamic Dispatchmentioning

confidence: 99%

SAVI objects: sharing and virtuality incorporated

Hajj

Jablin

Milojičić

et al. 2017

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Direct sharing and storing of memory objects allows high-performance and low-overhead collaboration between parallel processes or application workflows with loosely coupled programs. However, sharing of objects is hindered by the inability to use subtype polymorphism which is common in object-oriented programming languages. That is because implementations of subtype polymorphism in modern compilers rely on using virtual tables stored at process-specific locations, which makes objects unusable in processes other than the creating process.In this paper, we present SAVI Objects, objects with Sharing and Virtuality Incorporated. SAVI Objects support subtype polymorphism but can still be shared across processes and stored in persistent data structures. We propose two different techniques to implement SAVI Objects and evaluate the tradeoffs between them. The first technique is virtual table duplication which adheres to the virtual-table-based implementation of subtype polymorphism, but duplicates virtual tables for shared objects to fixed memory addresses associated with each shared memory region. The second technique is hashing-based dynamic dispatch which re-implements subtype polymorphism using hashing-based look-ups to a global virtual table.Our results show that SAVI Objects enable direct sharing and storing of memory objects that use subtype polymorphism by adding modest overhead costs to object construction and dynamic dispatch time. SAVI Objects thus enable faster inter-process communication, improving the overall performance of production applications that share polymorphic objects.

show abstract

“…While their attack targets similar components to ours, these two attacks are conceptually different. The PS Vita attack is based on a well-known COOP-style attack which overwrites object's virtual function table (vtable) pointer with a pointer to a fake vtable [51], and thus this attack would be prevented by existing defenses against vtable corruption or vtable reuse attacks [14], [24], [67]. In contrast, our attack deliberately overwrites the internal data of a JavaScript object (not the vtable pointers of any objects with virtual methods) to invoke a chosen function; in fact, this manipulates how the bytecode interpreter interprets the corrupted JavaScript object.…”

Section: Related Workmentioning

confidence: 99%

NoJITsu: Locking Down JavaScript Engines

Park

Dhondt²,

Gens

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Data-only attacks against dynamic scripting environments have become common. Web browsers and other modern applications embed scripting engines to support interactive content. The scripting engines optimize performance via just-intime compilation. Since applications are increasingly hardened against code-reuse attacks, adversaries are looking to achieve code execution or elevate privileges by corrupting sensitive data like the intermediate representation of optimizing JIT compilers. This has inspired numerous defenses for just-in-time compilers. Our paper demonstrates that securing JIT compilation is not sufficient. First, we present a proof-of-concept data-only attack against a recent version of Mozilla's SpiderMonkey JIT in which the attacker only corrupts heap objects to successfully issue a system call from within bytecode execution at run time. Previous work assumed that bytecode execution is safe by construction since interpreters only allow a narrow set of benign instructions and bytecode is always checked for validity before execution. We show that this does not prevent malicious code execution in practice. Second, we design a novel defense, dubbed NOJITSU to protect complex, real-world scripting engines from data-only attacks against interpreted code. The key idea behind our defense is to enable fine-grained memory access control for individual memory regions based on their roles throughout the JavaScript lifecycle. For this we combine automated analysis, instrumentation, compartmentalization, and Intel's Memory-Protection Keys to secure SpiderMonkey against existing and newly synthesized attacks. We implement and thoroughly test our implementation using a number of real-world scenarios as well as standard benchmarks. We show that NOJITSU successfully thwarts codereuse as well as data-only attacks against any part of the scripting engine while offering a modest run-time overhead of only 5%.

show abstract

Protecting C++ Dynamic Dispatch Through VTable Interleaving

Cited by 46 publications

References 20 publications

SoK: Shining Light on Shadow Stacks

SoK: Shining Light on Shadow Stacks

SAVI objects: sharing and virtuality incorporated

NoJITsu: Locking Down JavaScript Engines

Contact Info

Product

Resources

About