vtrust regaining trust on virtual calls
play

VTrust: Regaining Trust on Virtual Calls Chao Zhang , Sco5 A. Carr, - PowerPoint PPT Presentation

Title VTrust: Regaining Trust on Virtual Calls Chao Zhang , Sco5 A. Carr, Tongxin Li, Yu Ding, Chengyu Song, Mathias Payer, Dawn Song UC Berkeley, Purdue University, Peking University, Georgia Tech Title Virtual Call Hijacking in real world A


  1. Title VTrust: Regaining Trust on Virtual Calls Chao Zhang , Sco5 A. Carr, Tongxin Li, Yu Ding, Chengyu Song, Mathias Payer, Dawn Song UC Berkeley, Purdue University, Peking University, Georgia Tech

  2. Title Virtual Call Hijacking in real world A common way to exploit: • wri5en in C++ • heavy use of virtual funcMons and virtual calls heap overflow use aEer Virtual Call plenty of vulnerabiliMes: free Hijacking … Google: "80% a5acks exploit use-aEer-free...” format Microso-: string 50% CVEs targeted Winows7 are UAF 2

  3. Title Virtual Calls Class Hierarchy: void test ( B * obj ) { class B{ virtual void foo(); obj à foo(); // virtual call site } } B::foo, D1::foo, or D2::foo? class D1: public B{ class D2: public B{ virtual void foo(); virtual void foo(); int data1; int data2; } } § How to resolve the virtual funcMon of an object at runMme ? • VTable pointers in objects RunMme Memory: Resolve virtual funcMons: writable section read-only section Step 1: read VTable pointer from obj obj1 of Class D1 VTable of Class D1 Step 2: read funcMon pointer from VTable vfptr D1::foo() data1 ... obj2 of Class D2 VTable of Class D2 D2::foo() vfptr ... data2 3

  4. Title Virtual Call Hijacking RunMme Memory: Resolve virtual funcMons: Step 1: read VTable pointer from obj writable section read-only section Step 2: read funcMon pointer from VTable obj1 of Class D1 VTable of Class D1 vfptr D1::foo() data1 ... § A5acks: breaking the integrity of VTable pointers § VTable injecMon a5ack: vfptr points to forged VTables writable section read-only section obj1 of Class D1 VTable of Class D1 vfptr PracAcal and reliable: D1::foo() data1 virtual call hijacking + ROP ... forged VTable ROP() ... 4

  5. Title Virtual Call Hijacking (2) RunMme Memory: Resolve virtual funcMons: Step 1: read VTable pointer from obj writable section read-only section Step 2: read funcMon pointer from VTable obj1 of Class D1 VTable of Class D1 vfptr D1::foo() data1 ... § A5acks: breaking the integrity of VTable pointers § VTable injecMon a5ack: vfptr points to forged VTables § VTable reuse a5ack: vfptr points to exisAng but out-of-context VTables writable section read-only section obj1 of Class D1 VTable of Class D1 COOP aEack [S&P’15] vfptr D1::foo() data1 ... other VTable or data fp() ... 5

  6. Title Outline § MoMvaMon § Related Work § Design § ImplementaMon § EvaluaMon § Conclusion 6

  7. Title Binary Level Defenses § VTint [NDSS’15] § T-VIP [ACSAC’14] writable section read-only? object VTable • enforce read-only vfptr vf() data ... § Pro: • binary-compaMble • could defat popular VTable injecMon a5acks § Con: • false posiMves • cannot defeat VTable reuse a5acks , e.g., COOP 7

  8. Title Source Level Defense: Forward Edge CFI § GCC-VTV [Usenix’14], whitelist-based • compute an incomplete set of legiMmate targets at compile-Ame • merge this set by using iniMalizer funcMons at load Ame • validate runMme target against this set at runAme § Pro: • support incremental building § Con: • heavy runMme operaMon, i.e., hash table lookups 8

  9. Title Source Level Defense: RockJIT § CCS’15, CFI-based • collect type informaAon at compile-Ame • compute equivalence classes of transfer targets at load Ame , based on the collected type informaMon . • update the CFI checks to only allow indirect transfers (including virtual calls) to one equivalence class at load-Ame § Pro: • support incremental building § Con: • heavy load Mme operaMons 9

  10. Title Outline § MoMvaMon § Related Work § Design: • Virtual FuncMon Type Enforcement • VTable Pointer SaniMzaMon § ImplementaMon § EvaluaMon § Conclusion 10

  11. Title Virtual FuncMon Type void test ( B * obj, int arg1, void * arg2) class D: public B { { // virtual call site // virtual funcMons obj à foo(arg1, arg2); virtual void foo(int arg1, void * arg2) ; } } § A virtual funcMon is allowed at a virtual call site if and only if it has: • a matching funcMon name • a matching argument type list • matching qualifiers (constant, volaMle, reference) • a compaMble class 11

  12. Title Virtual FuncMon Type Enforcement // virtual call site: expected type // virtual funcMons definiMons: target type obj à foo(arg1, arg2); virtual void foo(int arg1, void * arg2) ; ASSERT( expected_type == target_type ) obj à foo(arg1, arg2); § How to encode the type informaMon, to enable fast type lookup and comparison? • RTTI - based soluMons are too slow 12

  13. Title Virtual FuncMon Type Enforcement // virtual call site: expected type // virtual funcMons definiMons: target type obj à foo(arg1, arg2); virtual void foo(int arg1, void * arg2) ; ASSERT( expected_type == target_type ) obj à foo(arg1, arg2); ASSERT( expected_signature == target_signature ) obj à foo(arg1, arg2); § Our soluMon: compute a signature for the type signature = hash ( funcName, typeList, qualifiers, classInfo ) § All signatures can be computed staMcally and independently. • support incremental building • don’t need extra link-Mme , load-Mme or runMme support • fast and easy to deploy 13

  14. Title Security Analysis Virtual Func Type Enforcement VTable Injection Target Applications VTable Reuse § No ma5er what VTables are used, target virtual funcMons must have matching signatures. § A5ackers can forge signatures if and only if • target applicaMons have dynamic generated code. 14

  15. Title VTable Pointer SaniMzaMon § SoluMon: limit the target funcMons to staMc code § How? • saniMze VTable pointers, to only allow legiMmate VTables used for virtual funcMon lookup. writable section read-only section obj1 of Class D1 VTable of Class D1 vfptr D1::foo() data1 ... writable section read-only section obj1 of Class D1 Translation Table VTable of Class D1 vt_idx D1::vfptr D1::foo() data1 ... ... 15

  16. Title Outline § MoMvaMon § Related Work § Design § ImplementaMon § EvaluaMon § Conclusion 16

  17. Title Virtual FuncMon Type Enforcement ASSERT( expected_signature == target_signature ) obj à foo(arg1, arg2); signature = hash ( funcName, typeList, qualifiers, classInfo ) § Compute signatures • funcMon name: § destructor funcMons § member funcMon pointers • class info: § top-most primary class’ name § Instrument signatures • hard-coded before virtual call sites • hard-coded before virtual funcMon bodies 17

  18. Title VTable Pointer SaniMzaMon writable section read-only section obj1 of Class D1 Translation Table VTable of Class D1 vt_idx D1::vfptr D1::foo() data1 ... ... § A centralized translaMon table is impracMcal • merge this table at load-Mme • update vt_idx in constructor funcMons § Our soluMon: distributed translaMon table • each library has its own translaMon table writable section read-only section Translation Table Global D1's VTable for lib1 Translation obj1 of Class D1 D1::foo() • constant library D1::vfptr Table ... idx_pair ... translaMon tables. lib1 data1 lib2 Translation Table for lib2 D2's VTable ... • constant idx_pair D2::vfptr D1::foo() ... ... 18

  19. Title Overall Workflow Clang/ LLVM CodeGen LLVM Opt LLVMgold.so Clang++ *.cpp LLVM IR LLVM IR *.cpp *.obj layer 1: layer 2: layer 1: executable/ VTable VFunc Type VTable VFunc Type libraries metadata (metadata) (checks) Enforcement Pointer Enforcement Collector (part 1) Sanitization (part 2) VTLib.cpp VTLib.so ld.gold 19

  20. Title Outline § MoMvaMon § Related Work § Design § ImplementaMon § EvaluaMon § Conclusion 20

  21. Title Performance Overhead § SPEC 2006 • avg (two layers together): 2.2% (~ 0.72% + 1.4%) • worst: 8.0% 6.00%$ 5.00%$ 4.00%$ 3.00%$ TypeEnforce$ 2.00%$ VTableSanCze$ 1.00%$ 0.00%$ $ $ $ $ $ $ $ $ . r p x I d y n c I a e p l m a a n a t l t r e a s p e a e v M l a o d n o a n s x m p . o e o G The 1 st layer defense is much faster than the 2 nd layer, sufficient for programs without dynamic generated code. 21

  22. Title Performance Overhead § Firefox • avg (two layers together): 2.2% (~ 0.4% + 1.8%) • worst: 4.3% 3.50%& 3.00%& 2.50%& 2.00%& 1.50%& TypeEnforce& 1.00%& VTableSaniHze& 0.50%& 0.00%& !0.50%& & & & & & & & e n r k e r . e n t r n e e a i d a k a p r m e B i a t e p c M e r e r s K O t e K n . i o L s e u w e c S a G o e r P B 22

  23. Title ProtecMon Effects § VTable injecMon a5acks § VTable reuse a5acks (few in real world) • BCTF challenge “ zhongguancun” 23

  24. Title Corner cases § Custom virtual funcMon definiMons • e.g., nsXPTCStubBase::StubNN() in Firefox • will cause false posiMves § Custom virtual call sites • e.g., NS_InvokeByIndex() in Firefox • will leave extra a5ack surface § VTrust could idenMfy all these corner cases automaMcally, and provides a precise protecMon. 24

  25. Title Conclusion § VTrust provides two layers of defenses against all virtual call hijacking a5acks. § Virtual funcAon type enforcement introduces a very low performance overhead, able to defeat all this type of a5acks if no dynamic code exists in target applicaMons. § VTable pointer saniAzaAon could help defeat all a5acks even if target applicaMons have dynamic code. § The performance and security evaluaMon show that VTrust has a low performance overhead, and provides a strong protecMon. 25

Recommend


More recommend