vtrust regaining trust on virtual calls
play

VTrust: Regaining Trust on Virtual Calls Chao Zhang , Sco5 A. Carr, - PowerPoint PPT Presentation

Aug 25, 2023 •126 likes •390 views

Title VTrust: Regaining Trust on Virtual Calls Chao Zhang , Sco5 A. Carr, Tongxin Li, Yu Ding, Chengyu Song, Mathias Payer, Dawn Song UC Berkeley, Purdue University, Peking University, Georgia Tech Title Virtual Call Hijacking in real world A

  1. Title VTrust: Regaining Trust on Virtual Calls Chao Zhang , Sco5 A. Carr, Tongxin Li, Yu Ding, Chengyu Song, Mathias Payer, Dawn Song UC Berkeley, Purdue University, Peking University, Georgia Tech

  2. Title Virtual Call Hijacking in real world A common way to exploit: • wri5en in C++ • heavy use of virtual funcMons and virtual calls heap overflow use aEer Virtual Call plenty of vulnerabiliMes: free Hijacking … Google: "80% a5acks exploit use-aEer-free...” format Microso-: string 50% CVEs targeted Winows7 are UAF 2

  3. Title Virtual Calls Class Hierarchy: void test ( B * obj ) { class B{ virtual void foo(); obj à foo(); // virtual call site } } B::foo, D1::foo, or D2::foo? class D1: public B{ class D2: public B{ virtual void foo(); virtual void foo(); int data1; int data2; } } § How to resolve the virtual funcMon of an object at runMme ? • VTable pointers in objects RunMme Memory: Resolve virtual funcMons: writable section read-only section Step 1: read VTable pointer from obj obj1 of Class D1 VTable of Class D1 Step 2: read funcMon pointer from VTable vfptr D1::foo() data1 ... obj2 of Class D2 VTable of Class D2 D2::foo() vfptr ... data2 3

  4. Title Virtual Call Hijacking RunMme Memory: Resolve virtual funcMons: Step 1: read VTable pointer from obj writable section read-only section Step 2: read funcMon pointer from VTable obj1 of Class D1 VTable of Class D1 vfptr D1::foo() data1 ... § A5acks: breaking the integrity of VTable pointers § VTable injecMon a5ack: vfptr points to forged VTables writable section read-only section obj1 of Class D1 VTable of Class D1 vfptr PracAcal and reliable: D1::foo() data1 virtual call hijacking + ROP ... forged VTable ROP() ... 4

  5. Title Virtual Call Hijacking (2) RunMme Memory: Resolve virtual funcMons: Step 1: read VTable pointer from obj writable section read-only section Step 2: read funcMon pointer from VTable obj1 of Class D1 VTable of Class D1 vfptr D1::foo() data1 ... § A5acks: breaking the integrity of VTable pointers § VTable injecMon a5ack: vfptr points to forged VTables § VTable reuse a5ack: vfptr points to exisAng but out-of-context VTables writable section read-only section obj1 of Class D1 VTable of Class D1 COOP aEack [S&P’15] vfptr D1::foo() data1 ... other VTable or data fp() ... 5

  6. Title Outline § MoMvaMon § Related Work § Design § ImplementaMon § EvaluaMon § Conclusion 6

  7. Title Binary Level Defenses § VTint [NDSS’15] § T-VIP [ACSAC’14] writable section read-only? object VTable • enforce read-only vfptr vf() data ... § Pro: • binary-compaMble • could defat popular VTable injecMon a5acks § Con: • false posiMves • cannot defeat VTable reuse a5acks , e.g., COOP 7

  8. Title Source Level Defense: Forward Edge CFI § GCC-VTV [Usenix’14], whitelist-based • compute an incomplete set of legiMmate targets at compile-Ame • merge this set by using iniMalizer funcMons at load Ame • validate runMme target against this set at runAme § Pro: • support incremental building § Con: • heavy runMme operaMon, i.e., hash table lookups 8

  9. Title Source Level Defense: RockJIT § CCS’15, CFI-based • collect type informaAon at compile-Ame • compute equivalence classes of transfer targets at load Ame , based on the collected type informaMon . • update the CFI checks to only allow indirect transfers (including virtual calls) to one equivalence class at load-Ame § Pro: • support incremental building § Con: • heavy load Mme operaMons 9

  10. Title Outline § MoMvaMon § Related Work § Design: • Virtual FuncMon Type Enforcement • VTable Pointer SaniMzaMon § ImplementaMon § EvaluaMon § Conclusion 10

  11. Title Virtual FuncMon Type void test ( B * obj, int arg1, void * arg2) class D: public B { { // virtual call site // virtual funcMons obj à foo(arg1, arg2); virtual void foo(int arg1, void * arg2) ; } } § A virtual funcMon is allowed at a virtual call site if and only if it has: • a matching funcMon name • a matching argument type list • matching qualifiers (constant, volaMle, reference) • a compaMble class 11

  12. Title Virtual FuncMon Type Enforcement // virtual call site: expected type // virtual funcMons definiMons: target type obj à foo(arg1, arg2); virtual void foo(int arg1, void * arg2) ; ASSERT( expected_type == target_type ) obj à foo(arg1, arg2); § How to encode the type informaMon, to enable fast type lookup and comparison? • RTTI - based soluMons are too slow 12

  13. Title Virtual FuncMon Type Enforcement // virtual call site: expected type // virtual funcMons definiMons: target type obj à foo(arg1, arg2); virtual void foo(int arg1, void * arg2) ; ASSERT( expected_type == target_type ) obj à foo(arg1, arg2); ASSERT( expected_signature == target_signature ) obj à foo(arg1, arg2); § Our soluMon: compute a signature for the type signature = hash ( funcName, typeList, qualifiers, classInfo ) § All signatures can be computed staMcally and independently. • support incremental building • don’t need extra link-Mme , load-Mme or runMme support • fast and easy to deploy 13

  14. Title Security Analysis Virtual Func Type Enforcement VTable Injection Target Applications VTable Reuse § No ma5er what VTables are used, target virtual funcMons must have matching signatures. § A5ackers can forge signatures if and only if • target applicaMons have dynamic generated code. 14

  15. Title VTable Pointer SaniMzaMon § SoluMon: limit the target funcMons to staMc code § How? • saniMze VTable pointers, to only allow legiMmate VTables used for virtual funcMon lookup. writable section read-only section obj1 of Class D1 VTable of Class D1 vfptr D1::foo() data1 ... writable section read-only section obj1 of Class D1 Translation Table VTable of Class D1 vt_idx D1::vfptr D1::foo() data1 ... ... 15

  16. Title Outline § MoMvaMon § Related Work § Design § ImplementaMon § EvaluaMon § Conclusion 16

  17. Title Virtual FuncMon Type Enforcement ASSERT( expected_signature == target_signature ) obj à foo(arg1, arg2); signature = hash ( funcName, typeList, qualifiers, classInfo ) § Compute signatures • funcMon name: § destructor funcMons § member funcMon pointers • class info: § top-most primary class’ name § Instrument signatures • hard-coded before virtual call sites • hard-coded before virtual funcMon bodies 17

  18. Title VTable Pointer SaniMzaMon writable section read-only section obj1 of Class D1 Translation Table VTable of Class D1 vt_idx D1::vfptr D1::foo() data1 ... ... § A centralized translaMon table is impracMcal • merge this table at load-Mme • update vt_idx in constructor funcMons § Our soluMon: distributed translaMon table • each library has its own translaMon table writable section read-only section Translation Table Global D1's VTable for lib1 Translation obj1 of Class D1 D1::foo() • constant library D1::vfptr Table ... idx_pair ... translaMon tables. lib1 data1 lib2 Translation Table for lib2 D2's VTable ... • constant idx_pair D2::vfptr D1::foo() ... ... 18

  19. Title Overall Workflow Clang/ LLVM CodeGen LLVM Opt LLVMgold.so Clang++ *.cpp LLVM IR LLVM IR *.cpp *.obj layer 1: layer 2: layer 1: executable/ VTable VFunc Type VTable VFunc Type libraries metadata (metadata) (checks) Enforcement Pointer Enforcement Collector (part 1) Sanitization (part 2) VTLib.cpp VTLib.so ld.gold 19

  20. Title Outline § MoMvaMon § Related Work § Design § ImplementaMon § EvaluaMon § Conclusion 20

  21. Title Performance Overhead § SPEC 2006 • avg (two layers together): 2.2% (~ 0.72% + 1.4%) • worst: 8.0% 6.00%$ 5.00%$ 4.00%$ 3.00%$ TypeEnforce$ 2.00%$ VTableSanCze$ 1.00%$ 0.00%$ $ $ $ $ $ $ $ $ . r p x I d y n c I a e p l m a a n a t l t r e a s p e a e v M l a o d n o a n s x m p . o e o G The 1 st layer defense is much faster than the 2 nd layer, sufficient for programs without dynamic generated code. 21

  22. Title Performance Overhead § Firefox • avg (two layers together): 2.2% (~ 0.4% + 1.8%) • worst: 4.3% 3.50%& 3.00%& 2.50%& 2.00%& 1.50%& TypeEnforce& 1.00%& VTableSaniHze& 0.50%& 0.00%& !0.50%& & & & & & & & e n r k e r . e n t r n e e a i d a k a p r m e B i a t e p c M e r e r s K O t e K n . i o L s e u w e c S a G o e r P B 22

  23. Title ProtecMon Effects § VTable injecMon a5acks § VTable reuse a5acks (few in real world) • BCTF challenge “ zhongguancun” 23

  24. Title Corner cases § Custom virtual funcMon definiMons • e.g., nsXPTCStubBase::StubNN() in Firefox • will cause false posiMves § Custom virtual call sites • e.g., NS_InvokeByIndex() in Firefox • will leave extra a5ack surface § VTrust could idenMfy all these corner cases automaMcally, and provides a precise protecMon. 24

  25. Title Conclusion § VTrust provides two layers of defenses against all virtual call hijacking a5acks. § Virtual funcAon type enforcement introduces a very low performance overhead, able to defeat all this type of a5acks if no dynamic code exists in target applicaMons. § VTable pointer saniAzaAon could help defeat all a5acks even if target applicaMons have dynamic code. § The performance and security evaluaMon show that VTrust has a low performance overhead, and provides a strong protecMon. 25

Recommend

IFRS adoption in Cambodia 8 th Floor, VTRUST Tower, St. 196, Sangkat Veal Vong, Khan 7 Makara,

IFRS adoption in Cambodia 8 th Floor, VTRUST Tower, St. 196, Sangkat Veal Vong, Khan 7 Makara,

KAMPUCHEA INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS AND AUDITORS IFRS adoption in Cambodia 8 th Floor, VTRUST Tower, St.

1.69k views • 11 slides
Oxleas NHS Foundation Trust OXLEAS NHS FOUNATION TRUST VIRTUAL CONSULTATIONS Project Lead

Oxleas NHS Foundation Trust OXLEAS NHS FOUNATION TRUST VIRTUAL CONSULTATIONS Project Lead

Showcase Presentation Oxleas NHS Foundation Trust OXLEAS NHS FOUNATION TRUST VIRTUAL CONSULTATIONS Project Lead Melony James Project Team Members Harpreet Sanghara Jo-Anne Linnane Sue Horbury Anthony Elisak Senior Sponsor Alison

321 views • 6 slides
CPU Scheduling - II System Calls Virtual Machines Tevfik Ko ar University at Buffalo

CPU Scheduling - II System Calls Virtual Machines Tevfik Ko ar University at Buffalo

CSE 421/521 - Operating Systems Roadmap Fall 2011 Multilevel Feedback Queues Estimating CPU bursts Lecture - VI CPU Scheduling - II System Calls Virtual Machines Tevfik Ko ar University at Buffalo September 15 th , 2011

442 views • 5 slides
virtual machine (pt 2) / microkernels 1 last time (1) sandboxing fjlter system calls guest

virtual machine (pt 2) / microkernels 1 last time (1) sandboxing fjlter system calls guest

virtual machine (pt 2) / microkernels 1 last time (1) sandboxing fjlter system calls guest OS running in hypervisor on host OS hypervisor tracks virtual machine state does guest OS think its in kernel mode? does guest OS think

947 views • 71 slides
Effective Virtual Meetings & Presentations Max Masnick, PhD 1 Top 4 ways to make video

Effective Virtual Meetings & Presentations Max Masnick, PhD 1 Top 4 ways to make video

Effective Virtual Meetings & Presentations Max Masnick, PhD 1 Top 4 ways to make video calls better 1. Use wired headphones/earbuds for all calls 2. Turn on your video and ask others to do the same 3. Plug your computer into Ethernet for

536 views • 18 slides
VIRTUAL ARCHITECTURAL PRACTICE - AN ALTERNATE REALITY PRODUCED BY AIA PMKC + AIA TRUST 1.5

VIRTUAL ARCHITECTURAL PRACTICE - AN ALTERNATE REALITY PRODUCED BY AIA PMKC + AIA TRUST 1.5

Peter S. Macrae, AIA SPEAKERS: VIRTUAL PRACTICE FRAMEWORK Charles R. Heuer, Esq, FAIA MANAGING RISK WHEN RUNNING A VIRTUAL PRACTICE Kevin J. Collins, RPLU, Associate AIA CHALLENGES TO PROFESSION AND PRACTICE IN A VIRTUAL PRACTICE Lira Luis,

630 views • 37 slides
Splitting Interfaces Making Trust Between Apps and OS Configurable Trust Model for an

Splitting Interfaces Making Trust Between Apps and OS Configurable Trust Model for an

Splitting Interfaces Making Trust Between Apps and OS Configurable Trust Model for an Application Kernel is seldom exploited directly (eg. malicious system calls) Attacker takes control of kernel through privileged applications

869 views • 33 slides
A Model of Trust Evaluation for A Model of Trust Evaluation for X.509 Certificate Abu Shohel

A Model of Trust Evaluation for A Model of Trust Evaluation for X.509 Certificate Abu Shohel

A Model of Trust Evaluation for A Model of Trust Evaluation for X.509 Certificate Abu Shohel Ahmed Abu Shohel Ahmed NordSecMob, University of Tartu How to identify an anonymous persons in online or virtual world? or virtual world? Whom to

582 views • 19 slides
Regaining the ST(E)AM in STEM Education: Transcending Boundaries to Transform STEM Education

Regaining the ST(E)AM in STEM Education: Transcending Boundaries to Transform STEM Education

Regaining the ST(E)AM in STEM Education: Transcending Boundaries to Transform STEM Education Roni Ellington, PhD Plenary Session Midwest Regional Noyce Connections Conference Friday, October 30, 2015 Omaha, Nebraska Thank You for the

372 views • 34 slides
Findings and Recommendations September 2011 Calls into VDN: 82,850 Calls Answered

Findings and Recommendations September 2011 Calls into VDN: 82,850 Calls Answered

Findings and Recommendations September 2011 Calls into VDN: 82,850 Calls Answered (ACCESS & 211): 32,717 Calls Abandoned: 13,978 (42%) Average Wait Time: 39 m minut nutes Customer Service Feedback: Question 8.

308 views • 20 slides
What We Learned From the Mid-Year Check-In Calls: Successes & Challenges Mid-Year Calls

What We Learned From the Mid-Year Check-In Calls: Successes & Challenges Mid-Year Calls

What We Learned From the Mid-Year Check-In Calls: Successes & Challenges Mid-Year Calls Asked state contact and contractor (if applicable) to be on calls Asked states to fill out work plan in advance Calls took around 1 hr.

396 views • 15 slides
ELDER WORK Regaining the Straying OUR ATTITUDE TOWARD THE STRAYING What terms have been used to

ELDER WORK Regaining the Straying OUR ATTITUDE TOWARD THE STRAYING What terms have been used to

ELDER WORK Regaining the Straying OUR ATTITUDE TOWARD THE STRAYING What terms have been used to describe congregation members who neglect word and sacrament? What kind of attitude do those terms reflect toward those who are neglecting the

389 views • 34 slides
Software Agents in Virtual Organizations: Good Faith and Trust Francisco Andrade, Paulo Novais,

Software Agents in Virtual Organizations: Good Faith and Trust Francisco Andrade, Paulo Novais,

Software Agents in Virtual Organizations: Good Faith and Trust Francisco Andrade, Paulo Novais, Jos Machado and Jos Neves Universidade do Minho - Portugal PROVE 2008 Poznan, Poland September, 9 th Introduction Virtual organizations

384 views • 26 slides
CSE 351: The Hardware/Software Interface Section 4 Procedure calls Procedure calls In x86

CSE 351: The Hardware/Software Interface Section 4 Procedure calls Procedure calls In x86

CSE 351: The Hardware/Software Interface Section 4 Procedure calls Procedure calls In x86 assembly, values are passed to function calls on the stack Perks: Concise, easy to remember Drawbacks: Always requires memory accesses In

496 views • 14 slides
SOUND DEVIRTUALIZATION LLVM DEVMTG18 SOUND DEVIRTUALIZATION WHAT ARE VIRTUAL CALLS

SOUND DEVIRTUALIZATION LLVM DEVMTG18 SOUND DEVIRTUALIZATION WHAT ARE VIRTUAL CALLS

PIOTR PADLEWSKI KRZYSZTOF PSZENICZNY SOUND DEVIRTUALIZATION LLVM DEVMTG18 SOUND DEVIRTUALIZATION WHAT ARE VIRTUAL CALLS Polymorphism in OOP %vtable = load {} %p %vfun = load {} %vtable call {} %vfun(args) LLVM DEVMTG18

537 views • 25 slides
Recursion A process by which a function calls itself repeatedly. Either directly. X

Recursion A process by which a function calls itself repeatedly. Either directly. X

1/28/2016 Recursion A process by which a function calls itself repeatedly. Either directly. X calls X. Or cyclically in a chain. X calls Y, and Y calls X. Used for repetitive computations in which each action is stated in

290 views • 10 slides
Recursion 1 Recursion n A process by which a function calls itself repeatedly Either

Recursion 1 Recursion n A process by which a function calls itself repeatedly Either

Recursion 1 Recursion n A process by which a function calls itself repeatedly Either directly. n X calls X Or cyclically in a chain. n X calls Y, and Y calls X n Used for repetitive computations in which each action is stated in terms of a

519 views • 51 slides
Logistics Checkpoint 2 Mostly graded. Note on grading -- Regaining points

Logistics Checkpoint 2 Mostly graded. Note on grading -- Regaining points

Texture Mapping Logistics Checkpoint 2 Mostly graded. Note on grading -- Regaining points Checkpoint 3 Due Monday Project Proposals All should have received e-mail feedback. 1 Logistics Checkpoint 2 Another

525 views • 35 slides
B-S hoe Technologies Ltd. Balancing S hoe for Regaining Balance and Avoiding Falls November

B-S hoe Technologies Ltd. Balancing S hoe for Regaining Balance and Avoiding Falls November

B-S hoe Technologies Ltd. Balancing S hoe for Regaining Balance and Avoiding Falls November 2016 PROPRIETAR Y Elderly Falls We're All Getting There Falls Huge S ocial and Economic Burden $75B annual cost of elderly falls in the

185 views • 15 slides
Outline: A. Wisdoms calls 1. Wisdom calls To salvation (1:20 - 4:27) To wealth (8)

Outline: A. Wisdoms calls 1. Wisdom calls To salvation (1:20 - 4:27) To wealth (8)

Outline: A. Wisdoms calls 1. Wisdom calls To salvation (1:20 - 4:27) To wealth (8) To Life (9) 2. Folly calls To condemnation (5) To poverty (6) To death (7) B. Wisdoms contrasts

657 views • 26 slides
Architectures that Scale Deep: Regaining Control in Deep Systems Ben Sigelman (@el_bhs,

Architectures that Scale Deep: Regaining Control in Deep Systems Ben Sigelman (@el_bhs,

Architectures that Scale Deep: Regaining Control in Deep Systems Ben Sigelman (@el_bhs, bhs@lightstep.com) Co-founder & CEO: LightStep Co-creator: OpenTracing, OpenTelemetry, Google Dapper, Google Monarch QCon SF, November 2019 Part I

951 views • 67 slides
Lecture 04: Understanding System Calls System calls are functions that user programs use to

Lecture 04: Understanding System Calls System calls are functions that user programs use to

Lecture 04: Understanding System Calls System calls are functions that user programs use to interact with the OS and request some core service be executed on their behalf. Examples of system calls we've already seen this quarter: open ,

108 views • 8 slides
Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines: Virtual machine technology, often just called virtualization , makes one computer behave as several Running several operating systems simultaneously on

254 views • 10 slides
Uncover, Understand, Own REGAINING CONTROL OVER YOUR AMD CPU Christian Werling Uncover Security

Uncover, Understand, Own REGAINING CONTROL OVER YOUR AMD CPU Christian Werling Uncover Security

Uncover, Understand, Own REGAINING CONTROL OVER YOUR AMD CPU Christian Werling Uncover Security Research Labs Alexander Eichner Understand Technische Universitt Berlin Robert Buhren Own Technische Universitt Berlin Uncover

644 views • 60 slides

More recommend