research-article

ShrinkWrap: VTable Protection without Loose Ends

Authors:

Elias Athanasopoulos,

Georgios Portokalidis,

Herbert BosAuthors Info & Claims

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

Pages 341 - 350

https://doi.org/10.1145/2818000.2818025

Published: 07 December 2015 Publication History

Abstract

As VTable hijacking becomes the primary mode of exploitation against modern browsers, protecting said VTables has recently become a prime research interest. While multiple source- and binary-based solutions for protecting VTables have been proposed already, we found that in practice they are too conservative, which allows determined attackers to circumvent them. In this paper we delve into the design of C++ VTables and match that knowledge against the now industry standard protection scheme of VTV. We propose an end-to-end design that significantly refines VTV, to offer a provably optimal protection scheme. As we build on top of VTV, we preserve all of its advantages in terms of software compatibility and overhead. Thus, our proposed design comes "for free" for any user today. Besides the design we propose a testing methodology, which can be used by future developers to validate their implementations. We evaluated our protection scheme on Google Chrome and show that no compatibility issues were introduced, while overhead is also unchanged compared to the baseline of VTV.

References

[1]

Itanium C++ ABI. mentorembedded.github.io/cxx-abi/abi.html.

[2]

Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow integrity. In Proc. of the 12th ACM CCS, 2005.

Digital Library

[3]

Periklis Akritidis. Cling: A memory allocator to mitigate dangling pointers. In Proc. of Usenix Security'10.

Digital Library

[4]

S. Andersen and V. Abella. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies, Data Execution Prevention, 2004. http://technet.microsoft.com/en-us/library/bb457155.aspx.

[5]

Aravind Prakash, Xunchao Hu, and Heng Yin. vfGuard: Strict Protection for Virtual Function Calls in COTS C++ Binaries. In Proc. of the 22nd NDSS, 2015.

[6]

Nicholas Carlini and David Wagner. ROP is Still Dangerous: Breaking Modern Defenses. In Proc. of Usenix Security'14.

Digital Library

[7]

Chao Zhang, Chengyu Songz, Kevin Zhijie Chen, Zhaofeng Cheny, and Dawn Song. VTint: Protecting Virtual Function Tables' Integrity. In Proc. of the 22nd NDSS, 2015.

[8]

Yueqiang Cheng, Zongwei Zhou, Miao Yu, Xuhua Ding, and Robert H. Deng. ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks. In Proc. of the 21st NDSS, 2014.

[9]

Crispin Cowan, Calton Pu, Dave Maier, Heather Hinton, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, et al. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proc. of Usenix Security'98.

Digital Library

[10]

Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In Proc. of Usenix Security'14, August.

Digital Library

[11]

Enes Göktaş, Elias Athanasopoulos, Herbert Bos, and Georgios Portokalidis. Out of control: Overcoming control-flow integrity. In Proc. of the 35th IEEE S&P. IEEE, 2014.

Digital Library

[12]

Enes Göktaş, Elias Athanasopoulos, Michalis Polychronakis, Herbert Bos, and Georgios Portokalidis. Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard. In Proc. of Usenix Security'14.

[13]

Dongseok Jang, Zachary Tatlock, and Sorin Lerner. SAFEDISPATCH: Securing C++ virtual calls from memory corruption attacks. In Proc. of the 21st NDSS, 2014.

[14]

Ben Niu and Gang Tan. Modular Control-flow Integrity. In Proc. of the 35th ACM PLDI, 2014.

Digital Library

[15]

Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. In Proc. of Usenix Security'13.

Digital Library

[16]

PaX Team. Address Space Layout Randomization (ASLR), 2003. pax.grsecurity.net/docs/aslr.txt.

[17]

Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications. In Proc. of the 36th IEEE S&P, May 2015.

Digital Library

[18]

Hovav Shacham. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In Proc. of the 14th ACM CCS, 2007.

Digital Library

[19]

Kevin Z. Snow, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, Fabian Monrose, and Ahmad-Reza Sadeghi. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In Proc. of the 34th IEEE S&P, 2013.

Digital Library

[20]

Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. Enforcing Forward-edge Control-flow Integrity in GCC and LLVM. In Proc. of Usenix Security'14.

Digital Library

[21]

Yves Younan. FreeSentry: Protecting Against Use-After-Free Vulnerabilities Due to Dangling Pointers. In Proc. of the 22nd NDSS, 2015.

[22]

Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, L. Szekeres, S. McCamant, D. Song, and Wei Zou. Practical Control Flow Integrity and Randomization for Binary Executables. In Proc. of the 34th IEEE S&P, 2013.

Digital Library

[23]

Mingwei Zhang and R Sekar. Control flow integrity for COTS binaries. In Proc. of Usenix Security'13.

Digital Library

Cited By

Gaidis AMoreira JSun KMilburn AAtlidakis VKemerlis V(2023)FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch TrackingProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607219(527-546)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607219
Fan XLong SHuang CYang CLi FBartolini ARietveld KSchuman CMoreira J(2023)Accelerating Type Confusion Detection by Identifying Harmless Type CastingsProceedings of the 20th ACM International Conference on Computing Frontiers10.1145/3587135.3592205(91-100)Online publication date: 9-May-2023
https://dl.acm.org/doi/10.1145/3587135.3592205
Jiang YDuck GYap RLiang ZYuan P(2022)Extensible Virtual Call IntegrityComputer Security – ESORICS 202210.1007/978-3-031-17143-7_35(723-739)Online publication date: 24-Sep-2022
https://doi.org/10.1007/978-3-031-17143-7_35
Show More Cited By

Recommendations

D-ward: source-end defense against distributed denial-of-service attacks
Detecting Insider Theft of Trade Secrets

Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if ...
Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures
Abstract
Side-channels are unintended pathways within target systems that leak internal information, exploitable via side-channel attack techniques that extract the target information, compromising the system’s security and privacy. Side-channel attacks ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

December 2015

489 pages

ISBN:9781450336826

DOI:10.1145/2818000

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 December 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

ACSAC 2015

ACSAC 2015: 2015 Annual Computer Security Applications Conference

December 7 - 11, 2015

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

37
Total Citations
View Citations
262
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Gaidis AMoreira JSun KMilburn AAtlidakis VKemerlis V(2023)FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch TrackingProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607219(527-546)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607219
Fan XLong SHuang CYang CLi FBartolini ARietveld KSchuman CMoreira J(2023)Accelerating Type Confusion Detection by Identifying Harmless Type CastingsProceedings of the 20th ACM International Conference on Computing Frontiers10.1145/3587135.3592205(91-100)Online publication date: 9-May-2023
https://dl.acm.org/doi/10.1145/3587135.3592205
Jiang YDuck GYap RLiang ZYuan P(2022)Extensible Virtual Call IntegrityComputer Security – ESORICS 202210.1007/978-3-031-17143-7_35(723-739)Online publication date: 24-Sep-2022
https://doi.org/10.1007/978-3-031-17143-7_35
Demicco DErinfolami RPrakash A(2021)Program Obfuscation via ABI DebiasingProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3488017(146-157)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3488017
Papaevripides MAthanasopoulos E(2021)Exploiting Mixed BinariesACM Transactions on Privacy and Security10.1145/341889824:2(1-29)Online publication date: 2-Jan-2021
https://dl.acm.org/doi/10.1145/3418898
Bauer MRossow C(2021)NoVT: Eliminating C++ Virtual Calls to Mitigate Vtable Hijacking2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00049(650-666)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSP51992.2021.00049
Priyadarshan SNguyen HSekar R(2020)Practical Fine-Grained Binary Code Randomization†Proceedings of the 36th Annual Computer Security Applications Conference10.1145/3427228.3427292(401-414)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3427228.3427292
Muntean PNeumayer MLin ZTan GGrossklags JEckert C(2020)ρFEM: Efficient Backward-edge Protection Using Reversed Forward-edge MappingsAnnual Computer Security Applications Conference10.1145/3427228.3427246(466-479)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3427228.3427246
Erinfolami RPrakash ALigatti JOu XKatz JVigna G(2020)Devil is Virtual: Reversing Virtual Inheritance in C++ BinariesProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417251(133-148)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417251
Muntean PNeumayer MLin ZTan GGrossklags JEckert CBalenson D(2019)Analyzing control flow integrity with LLVM-CFIProceedings of the 35th Annual Computer Security Applications Conference10.1145/3359789.3359806(584-597)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3359789.3359806
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten