VTint: Protecting Virtual Function Tables Integrity Chao Zhang (UC - PowerPoint PPT Presentation

VTint: Protecting Virtual Function Tables’ Integrity Chao Zhang (UC Berkeley) Chengyu Song (Georgia Tech) Kevin Zhijie Chen (UC Berkeley) Zhaofeng Chen (Peking University) Dawn Song (UC Berkeley)

VTable for Dynamic Dispatch (C++) void foo(Base2* obj){ class Sub: public Base1, Base2{ … }; obj à vg4(); } void main(){ writable section read-only section Base2* obj = new Sub(); foo(obj); VTable for Base1 Base1 object b1 } Base1::vf1 vfptr ... base1_a code section Base1::vf10 VTable for Base2 Base2::vg1 ; Function main() Base2 object b2 push SIZE ... vfptr call malloc() Base2::vg10 mov ecx, eax base2_a call Sub::Sub() VTable for Sub::Base1 ; now ECX points to the Sub object add ecx, 8 Sub object s Sub::vf1 ; now ECX points to the Sub::Base2 object vfptr ... call foo() ret base1_a Sub::vf10 VTable for Sub::Base2 vfptr Sub::vg1 Sub::vh1 ; Function foo() mov eax, [ecx] ; read vfptr of Base2 base2_a ... ... mov edx, [eax+0x0C] ; get vg4() from vtable sub_a Sub::vg10 Sub::vh10 call edx ; call Base2::vg4() ret

VTable Hijacking in real world + Vulnerabilities like use-after-free • Pwn2Own 2014 Firefox + VTable Injection • Pwn2Own 2014 Chrome + ROP gadgets • CVE-2014-1772 IE writable section read-only section fake VTable VTable for Base1 gadget Base1::vf1 ... ... code section ... Base1::vf10 VTable for Base2 ... Base2::vg1 ; Function main() push SIZE ... ... call malloc() gadget Base2::vg10 mov ecx, eax call Sub::Sub() VTable for Sub::Base1 ; now ECX points to the Sub object add ecx, 8 Sub object s Sub::vf1 ; now ECX points to the Sub::Base2 object vfptr new_vfptr ... call foo() ret base1_a Sub::vf10 VTable for Sub::Base2 new_vfptr vfptr Sub::vg1 Sub::vh1 ; Function foo() mov eax, [ecx] ; read vfptr of Base2 base2_a ... ... mov edx, [eax+0x0C] ; get vg4() from vtable sub_a Sub::vg10 Sub::vh10 call edx ; call Base2::vg4() ret

VTable Hijacking in real world • A common way to exploit heap overflow use VTable after Hijacking free … format Google: string "80% attacks exploit use-after-free...” Microsoft: • written in C++ 50% CVEs targeted Winows7 are UAF • BIG Targets in the Cloud

VTable Hijacking Classification writable section read-only section • VTable corruption VTable for Base1 Base1::vf1 o overwrite VTable ... Base1::vf10 VTable for Base2 Base2::vg1 ... • VTable injection Base2::vg10 VTable for Sub::Base1 Sub object s shellcode() Sub::vf1 vfptr ... base1_a Sub::vf10 VTable for Sub::Base2 … vfptr Sub::vg1 Sub::vh1 base2_a ... ... shellcode() sub_a Sub::vg10 Sub::vh10 • VTable reuse

VTable Hijacking Classification writable section read-only section • VTable corruption fake VTable VTable for Base1 Base1::vf1 shellcode() o overwrite VTable ... ... Base1::vf10 ... VTable for Base2 Base2::vg1 ... ... ... • VTable injection Base2::vg10 shellcode() VTable for Sub::Base1 o overwrite vfptr Sub object s Sub::vf1 new_vfptr vfptr ... o point to fake VTable base1_a Sub::vf10 VTable for Sub::Base2 vfptr Sub::vg1 Sub::vh1 base2_a ... ... sub_a Sub::vg10 Sub::vh10 • VTable reuse

VTable Hijacking Classification writable section read-only section • VTable corruption VTable for Base1 Base1::vf1 o overwrite VTable ... Base1::vf10 VTable for Base2 Base2::vg1 ... • VTable injection Base2::vg10 VTable for Sub::Base1 o overwrite vfptr Sub object s Sub::vf1 new_vfptr vfptr ... o point to fake VTable base1_a Sub::vf10 VTable for Sub::Base2 vfptr Sub::vg1 Sub::vh1 base2_a ... ... sub_a Sub::vg10 Sub::vh10 • VTable reuse o overwrite vfptr o point to existing VTable, data etc.

VTint • Motivation • VTint Design • VTint Implementation • Evaluation

Our solution: VTint • Goal: VTable Hijacking o lightweight o binary o effective

Observation Attack Requirement VTable Corruption overwrite VTable VTable is writable VTable Injection overwrite vfptr, VTable is writable point to injected VTable VTable Reuse overwrite vfptr, VTable-like data, point to existing VTable/data existing VTable

Observation à à Intuition Attack Requirement Countermeasure VTable Corruption overwrite VTable VTable is writable Read-only VTable VTable Injection overwrite vfptr, VTable is writable Read-only VTable point to injected VTable VTable Reuse overwrite vfptr, VTable-like data, different VTable/data point to existing VTable/data existing VTable Need exact TYPE information Light weight source-code solutions like VTGuard

VTint vs. DEP VTint DEP VTable Corruption Read-only VTable Code Corruption Read-only Code Sec VTable Injection Read-only VTable Code Injection Read-only Code Sec (writable sections will not be executed) VTable Reuse different VTable/data Code Reuse NO • Similar to DEP o lightweight, and can be binary-compatible • Different from DEP o after hardening, the attack surface is smaller

VTint • Motivation • VTint Design • VTint Implementation • Evaluation

Architecture VTint PE executable parsing PE files PEParser • Binary parsing candidate VTables, function entries • Disassembling recursive • Binary rewriting disassembling BitCover VTables, virtual calls Instrumenting VTables, hardened virtual calls PE VRewriter

VTint PE executable parsing PE files Binary Parsing PEParser candidate VTables, function entries • PE format recursive disassembling BitCover o relocation table VTables, virtual calls o import/export table Instrumenting VTables, hardened virtual calls PE VRewriter • Output: o candidate function entries § relocation entries, export entries, EntryPoint o candidate VTables § addresses of VTables are in the relocation table § entries in VTables are also in the relocation table

VTint PE executable parsing PE files Disassembling PEParser candidate VTables, function entries • Goal recursive disassembling BitCover o recover CFG VTables, virtual calls § find out all functions, instructions Instrumenting VTables, o recover high-level information hardened virtual calls PE VRewriter § constructor functions § real VTables § virtual function calls • recursive disassembly o starting from candidate function entries o targeting normal PE binaries, with relocation table

Disassembling (1) Identify Constructor Function • Basic Pattern • Identification o we know candidate vtables ; allocate object memory push SIZE object init call malloc() mov ecx, eax vtable references ; get VTable ptr mov eax, vfptr ; assign VTable to object vtable assignments mov [ecx], eax

Disassembling (2) Identify VTables • Basic Pattern • Identification o we know candidate vtables find vtable assignments ; assign to objects in constructors mov [ecx], vfptr • VTable size o unable to get exact size in binaries o we can estimate the maximum size § continuous relocation entries § adjacent RTTI, this adjustors, base offsets

Disassembling (3) Identify Virtual Function Calls • Basic Pattern • Idenfication o we know indirect calls vtable read operation ; get vtable ptr from object mov eax, [ecx+8] vfunc read operation ; get virtual func ptr from vtable mov edx, [eax+24] this argument ; prepare this ptr for callee add ecx, 8 indirect calls ; call virtual function call edx

VTint PE executable parsing PE files Binary Rewriting PEParser candidate VTables, function entries • Security Policy recursive disassembling BitCover o Enforce VTables to be read-only VTables, virtual calls o Differentiate VTables from other data Instrumenting VTables, hardened virtual calls PE • Rewriting VRewriter ; get vtable ptr from object (Read-only page) VTID mov eax, [ecx+8] Info Leakage? check vtable page has VTID No problem! VTable 1 check vtable page is read-only VTable 2 ; get virtual func ptr from vtable mov edx, [eax+24] ; call virtual function VTable … call edx

VTint • Motivation • VTint Solution • VTint Implementation • Evaluation

Static Analysis Results • Firefox analysis o fast analysis for each module o small file size overhead

Performance Evaluation • Firefox • Chrome • Average performance overhead is less than 2%

Protection Effect • Real World Exploits

Limitations • Binary disassembling • High-level information recovery o Constructor functions o VTables o Virtual function calls • Reusing existing VTables o call existing virtual functions

Conclusion • VTable hijacking is popular and critical • Existing solutions are not perfect • VTint is a lightweight, binary-compatible and effective defense against VTable hijacking, similar to DEP

Thanks!