type casting verification stopping an emerging attack
play

Type Casting Verification: Stopping an Emerging Attack Vector - PowerPoint PPT Presentation

Oct 31, 2023 •448 likes •1.14k views

Type Casting Verification: Stopping an Emerging Attack Vector Byoungyoung Lee, Chengyu Song, Taesoo Kim, and Wenke Lee Georgia Institute of Technology 1 Vulnerability Trends Microsoft vulnerability trends (2013) Use-after-free Stack

  1. Type Casting Verification: Stopping an Emerging Attack Vector Byoungyoung Lee, Chengyu Song, Taesoo Kim, and Wenke Lee Georgia Institute of Technology 1

  2. Vulnerability Trends Microsoft vulnerability trends (2013) Use-after-free Stack overflow Heap overflow Bad casting (or type confusion) 2

  3. Stack Overflows Microsoft vulnerability trends (2013) # of Stack overflows is decreasing

  4. Use-After-Free # of Use-after-free is increasing  Preventing Use-after-free with Dangling Pointers Nullification [NDSS ’15] Microsoft vulnerability trends (2013)

  5. Bad-casting Bad-casting (or type confusion) is still not solved. 5

  6. Type Conversions in C++ • static_cast – Compile-time conversions – Fast : no extra verification in run-time – No information on actually allocated types in runtime. • dynamic_cast – Run-time conversions – Requires Runtime Type Information (RTTI) – Slow : Extra verification by parsing RTTI – Typically prohibited in performance critical applications 6

  7. Upcasting and Downcasting • Upcasting – From a derived class to its parent class • Downcasting – From a parent class to one of its derived classes 7

  8. Upcasting and Downcasting • Upcasting – From a derived class to its parent class • Downcasting – From a parent class to one of its derived classes Element HTMLElement SVGElement 7

  9. Upcasting and Downcasting • Upcasting – From a derived class to its parent class • Downcasting – From a parent class to one of its derived classes Upcasting Element HTMLElement SVGElement 7

  10. Upcasting and Downcasting • Upcasting – From a derived class to its parent class • Downcasting – From a parent class to one of its derived classes Downcasting Upcasting Element HTMLElement SVGElement 7

  11. Upcasting and Downcasting • Upcasting – From a derived class to its parent class • Downcasting – From a parent class to one of its derived classes Downcasting Upcasting Element HTMLElement SVGElement Upcasting is always safe, but downcasting is not! 7

  12. Downcasting is not always safe! class P { class D: public P { virtual ~P() {} virtual ~D() {} int m_P; int m_D; }; }; 8

  13. Downcasting is not always safe! class P { class D: public P { virtual ~P() {} virtual ~D() {} int m_P; int m_D; }; }; vftptr for P int m_P Access scope of P* 8

  14. Downcasting is not always safe! class P { class D: public P { virtual ~P() {} virtual ~D() {} int m_P; int m_D; }; }; vftptr for D vftptr for P int m_P int m_P Access scope of P* int m_D Access scope of D* 8

  15. Downcasting can be Bad-casting P *pS = new P(); D *pD = static_cast<D*>(pS); pD->m_D; 9

  16. Downcasting can be Bad-casting Bad-casting occurs: D is not a sub-object of P  Undefined behavior P *pS = new P(); D *pD = static_cast<D*>(pS); D *pD = static_cast<D*>(pS); pD->m_D; 9

  17. Downcasting can be Bad-casting P *pS = new P(); D *pD = static_cast<D*>(pS); pD->m_D; pD->m_D; Memory corruptions 9

  18. Downcasting can be Bad-casting vftptr for P P *pS = new P(); int m_P D *pD = static_cast<D*>(pS); pD->m_D; pD->m_D; Memory corruptions 9

  19. Downcasting can be Bad-casting &(pD->m_D) vftptr for P P *pS = new P(); int m_P D *pD = static_cast<D*>(pS); pD->m_D; pD->m_D; Memory corruptions 9

  20. Downcasting can be Bad-casting &(pD->m_D) vftptr for P P *pS = new P(); int m_P D *pD = static_cast<D*>(pS); int m_D pD->m_D; pD->m_D; Memory corruptions 9

  21. Downcasting can be Bad-casting &(pD->m_D) vftptr for P P *pS = new P(); int m_P D *pD = static_cast<D*>(pS); int m_D pD->m_D; pD->m_D; Memory corruptions 9

  22. Real-world Exploits on Bad-casting • CVE-2013-0912 – A bad-casting vulnerability in Chrome – Used in 2013 Pwn2Own ContainerNode Element HTMLElement SVGElement HTMLUnknownElement 10

  23. Real-world Exploits on Bad-casting • CVE-2013-0912 – A bad-casting vulnerability in Chrome – Used in 2013 Pwn2Own ContainerNode Element HTMLElement SVGElement HTMLUnknownElement 1. Allocated 10

  24. Real-world Exploits on Bad-casting • CVE-2013-0912 – A bad-casting vulnerability in Chrome – Used in 2013 Pwn2Own ContainerNode 2. Upcasting Element HTMLElement SVGElement HTMLUnknownElement 1. Allocated 10

  25. Real-world Exploits on Bad-casting • CVE-2013-0912 – A bad-casting vulnerability in Chrome – Used in 2013 Pwn2Own ContainerNode 2. Upcasting 3. Downcasting Element HTMLElement SVGElement HTMLUnknownElement 1. Allocated 10

  26. Real-world Exploits on Bad-casting • CVE-2013-0912 – A bad-casting vulnerability in Chrome – Used in 2013 Pwn2Own ContainerNode 2. Upcasting 3. Downcasting Element HTMLElement SVGElement 160 bytes HTMLUnknownElement 1. Allocated 96 bytes 10

  27. Real-world Exploits on Bad-casting ScriptWrapperble NoBaseWillBeGarbageCollectedFinalized<> EventTarget TreeShared<Node> Node ContainerNode Element HTMLElement PseudoElement VTTElement VTTElement SVGElement LabelableElement HtmlTableElement HTMLRubyElement HTMLFontElement 57 classes! HTMLMenuElement HTMLLabelElement … HTMLUnknownElement 11

  28. Real-world Exploits on Bad-casting ScriptWrapperble NoBaseWillBeGarbageCollectedFinalized<> EventTarget TreeShared<Node> Node ContainerNode Very complex class hierarchies Element  Error-prone type casting operations HTMLElement PseudoElement VTTElement VTTElement SVGElement LabelableElement HtmlTableElement HTMLRubyElement HTMLFontElement 57 classes! HTMLMenuElement HTMLLabelElement … HTMLUnknownElement 11

  29. Existing Solutions and Challenges • Replace all static_cast into dynamic_cast • dynamic_cast on a polymorphic class (with RTTI) – A pointer points to a virtual function table pointer – Traversing a virtual function table leads to RTTI Offset to the top ptr &std::type_info A class name vftptr 1 st virtual function … … 12

  30. Existing Solutions and Challenges • dynamic_cast on a non-polymorphic class – A pointer points to the first member variable – Simply traversing such a variable leads to a runtime crash ptr … ... 13

  31. Existing Solutions and Challenges • dynamic_cast on a non-polymorphic class – A pointer points to the first member variable – Simply traversing such a variable leads to a runtime crash ptr … ... C++ supports no reliable methods to resolve whether a pointer points to polymorphic or non-polymorphic classes. 13

  32. Existing Solutions and Challenges • dynamic_cast on a non-polymorphic class – A pointer points to the first member variable – Simply traversing such a variable leads to a runtime crash ptr … ... C++ supports no reliable methods to resolve whether a pointer points to polymorphic or non-polymorphic classes. Previous solutions including Undefined Behavior Sanitizer relies on blacklists. 13

  33. CaVer: CastVerifier • CaVer : CastVerifier – A bad-casting detection tool • Design goals – Easy-to-deploy: no blacklists – Reasonable runtime performance 14

  34. CaVer Overview Emit THTable Source code Instrumentation Compile 15

  35. CaVer Overview Emit THTable Source code Instrumentation CaVer Runtime Compile Link 15

  36. CaVer Overview Emit THTable Source Secured code executable Instrumentation CaVer Runtime Compile Link 15

  37. Technical Goal of CaVer P *ptr = new P ; static_cast< D *>( ptr ); 16

  38. Technical Goal of CaVer P *ptr = new P ; Allocated static_cast< D *>( ptr ); 16

  39. Technical Goal of CaVer P *ptr = new P ; Allocated static_cast< D *>( ptr ); To be casted 16

  40. Technical Goal of CaVer P *ptr = new P ; Allocated static_cast< D *>( ptr ); To be casted ptr Object (P) 16

  41. Technical Goal of CaVer P *ptr = new P ; Allocated static_cast< D *>( ptr ); To be casted Q. What are the class relationships b/w P and D?  THTable ptr Object (P) 16

  42. Technical Goal of CaVer P *ptr = new P ; Allocated static_cast< D *>( ptr ); To be casted Q. What are the class relationships b/w P and D?  THTable ptr Object (P) Q. Is ptr points to P or D?  Runtime type tracing 16

  43. Type Hierarchy Table (THTable) • A set of all legitimate classes to be converted – Class names are hashed for fast comparison – Hierarchies are unrolled to avoid recursive traversal THTable (P) THTable (D) h ash(“P”) h ash(“D”) … hash(“P”) … 17

  44. Type Hierarchy Table (THTable) • A set of all legitimate classes to be converted – Class names are hashed for fast comparison – Hierarchies are unrolled to avoid recursive traversal THTable (P) THTable (D) h ash(“P”) h ash(“D”) … hash(“P”) … Hashed class names 17

  45. Type Hierarchy Table (THTable) • A set of all legitimate classes to be converted – Class names are hashed for fast comparison – Hierarchies are unrolled to avoid recursive traversal Unrolled linearly THTable (P) THTable (D) h ash(“P”) h ash(“D”) … hash(“P”) … 17

  46. Runtime Type Tracing P *ptr = new P; P *ptr = new P; trace(ptr, &THTable(P)); 18

  47. Runtime Type Tracing P *ptr = new P; P *ptr = new P; trace(ptr, &THTable(P)); THTable (P) h ash(“P”) … ptr Object (P) 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ML through Streaming at Sherin Thomas @doodlesmt Stopping a Phishing Attack Hello Alex, Im

ML through Streaming at Sherin Thomas @doodlesmt Stopping a Phishing Attack Hello Alex, Im

QCON LONDON 2020 ML through Streaming at Sherin Thomas @doodlesmt Stopping a Phishing Attack Hello Alex, Im Tracy calling from Lyft HQ. This month were awarding $200 to all 4.7+ star drivers. Congratulations! Hey Tracy, thanks! Np!

769 views • 60 slides
Casting Simulation Technology Julian Gnz Application Specialist Casting, CD-adapco Casting

Casting Simulation Technology Julian Gnz Application Specialist Casting, CD-adapco Casting

Casting Simulation Technology Julian Gnz Application Specialist Casting, CD-adapco Casting materials Market Overview [Mio tons] Grey Iron 13,6 38,16 9 Ductile Iron Steel 19,4 Non Ferrous alloys From Modern Casting 2010 world

377 views • 15 slides
Casting Simulations with STAR-Cast Julian Gnz, CD-adapco Need for Casting Simulation

Casting Simulations with STAR-Cast Julian Gnz, CD-adapco Need for Casting Simulation

Casting Simulations with STAR-Cast Julian Gnz, CD-adapco Need for Casting Simulation Processes Market Overview [Mio tons] Permanent Mold Tilt Casting 13,6 38,16 Grey Iron 9 Low Pressure-Casting Ductile Iron High

301 views • 27 slides
SLIP-CASTING a ceramic forming technique WHAT IS SLIP-CASTING?

SLIP-CASTING a ceramic forming technique WHAT IS SLIP-CASTING?

SLIP-CASTING a ceramic forming technique WHAT IS SLIP-CASTING? http://www.sightunseen.com/2012/06/josh-bitellis-forfars-bakery-and-roadworkers-projects/ http://www.joshbitelli.co.uk/ Slip-casting is a technique for small-scale production runs,

382 views • 12 slides
CSE 333 Section 6 HW3 Overview, Casting 1 Section Plan Casting HW 3 Overview 3

CSE 333 Section 6 HW3 Overview, Casting 1 Section Plan Casting HW 3 Overview 3

CSE 333 Section 6 HW3 Overview, Casting 1 Section Plan Casting HW 3 Overview 3 Casting! 4 Casting in C++ Four different casts that are more explicit: 1. static_cast&lt;to_type&gt;(expression) 2.

919 views • 33 slides
Minimization strategy for choice of the stopping index in conjugate gradient type methods for

Minimization strategy for choice of the stopping index in conjugate gradient type methods for

Introduction Other rules Numerical examples Minimization strategy for choice of the stopping index in conjugate gradient type methods for ill-posed problems Uno Hmarik, Reimo Palm, Toomas Raus Vienna, July 20, 2009 Uno Hmarik, Reimo

283 views • 14 slides
Macro Scale Casting Simulation with STAR-Cast J.Gnz CD-adapco Casting Systems Product

Macro Scale Casting Simulation with STAR-Cast J.Gnz CD-adapco Casting Systems Product

Macro Scale Casting Simulation with STAR-Cast J.Gnz CD-adapco Casting Systems Product requirements increase: Less weight Higher efficiency Time to market decreases Casting processes must be adopted Simulation to

318 views • 21 slides
Integrated Presentation Attack Detection and Automatic Speaker Verification: Common Features and

Integrated Presentation Attack Detection and Automatic Speaker Verification: Common Features and

Integrated Presentation Attack Detection and Automatic Speaker Verification: Common Features and Gaussian Back-end Fusion Massimiliano Todisco 1 , H ector Delgado 1 , Kong Aik Lee 2 , Md Sahidullah 3 , Nicholas Evans 1 , Tomi Kinnunen 4 and

292 views • 5 slides
14/ 04/ 2020 Are we in a Crisis? Communic ation A c r isis is a pe ople - stopping,

14/ 04/ 2020 Are we in a Crisis? Communic ation A c r isis is a pe ople - stopping,

14/ 04/ 2020 Are we in a Crisis? Communic ation A c r isis is a pe ople - stopping, show-stopping, pr oduc t stopping, r e putation de fining, and tr ust-busting e ve nt that c r e ate s vic tims and/ or e xplosive visibility. ~

180 views • 6 slides
lecture 18 Recall Ray Casting (lectures 7, 8) Ray tracing is like ray casting, but now mirror

lecture 18 Recall Ray Casting (lectures 7, 8) Ray tracing is like ray casting, but now mirror

lecture 18 Recall Ray Casting (lectures 7, 8) Ray tracing is like ray casting, but now mirror reflections are allowed. - ray tracing for each pixel (x,y) { - environment mapping cast a ray through that pixel into the scene, and find the

380 views • 6 slides
Evolution of the Aluminium High Pressure Die Casting in India CONTENTS INDIA - A VIBRANT ECONOMY

Evolution of the Aluminium High Pressure Die Casting in India CONTENTS INDIA - A VIBRANT ECONOMY

Evolution of the Aluminium High Pressure Die Casting in India CONTENTS INDIA - A VIBRANT ECONOMY HISTORY OF INDIAN DIE CASTING INDUSTRY PRESENT STATUS OF INDIAN DIE CASTING INDUSTRY AUTOMOTIVE - THE LARGEST CUSTOMER OF DIE CASTING IN INDIA

701 views • 33 slides
Casting Process in which molten metal flows by gravity or other force into a mold or die

Casting Process in which molten metal flows by gravity or other force into a mold or die

Casting Process in which molten metal flows by gravity or other force into a mold or die where it solidifies in the shape of the mold cavity. The term casting also applies to the part made in the process. 1 Steps of Casting Process

1.22k views • 69 slides
Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg prasadn@ microsoft.com SE Linux Symposium Attack- based DTA 1 06 Outline Motivation Review of type enforcement transitions Attack

471 views • 18 slides
via STAR-Cast Santhanu Jana, Access e.V., Aachen Talk overview Centrifugal casting

via STAR-Cast Santhanu Jana, Access e.V., Aachen Talk overview Centrifugal casting

Simulation of Centrifugal Casting via STAR-Cast Santhanu Jana, Access e.V., Aachen Talk overview Centrifugal casting STAR-Casts modelling basis Motivation for centrifugal investment casting Centrifugal investment casting of

590 views • 31 slides
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey Indian Statistical Institute Kolkata January 14, 2012 Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen Outline 1

624 views • 37 slides
Join Indias First Indigenous Investment Casting foundry exclusively for Aerospace, Defence

Join Indias First Indigenous Investment Casting foundry exclusively for Aerospace, Defence

Join Indias First Indigenous Investment Casting foundry exclusively for Aerospace, Defence &amp; M edical application Aerospace Defense Medical A World Class Investment Casting Foundry AS9100D &amp; Nadcap Certified Investment Casting

416 views • 40 slides
Nuovi farmaci nel tumore del polmone: razionale biologico, tossicit ed efficacia Michele Fiore

Nuovi farmaci nel tumore del polmone: razionale biologico, tossicit ed efficacia Michele Fiore

Nuovi farmaci nel tumore del polmone: razionale biologico, tossicit ed efficacia Michele Fiore Radioterapia Oncologica Universit Campus Bio-Medico di Roma - Via lvaro del Portillo, 21 - 00128 Roma Italia www.unicampus.it Shifting

670 views • 50 slides
Central America Geothermal Central America Geothermal Development and EGS Development and EGS

Central America Geothermal Central America Geothermal Development and EGS Development and EGS

Central America Geothermal Central America Geothermal Development and EGS Development and EGS Perpectives Perpectives Manuel Monterrosa Potsdam, January 2007 1 CONTENT CONTENT Central America Electricity demand Geothermal field in

504 views • 17 slides
ADPC Activities and Overview Asian Disaster Preparedness Center Historical Overview Historical

ADPC Activities and Overview Asian Disaster Preparedness Center Historical Overview Historical

Asian Disaster Preparedness Center Asian Disaster Preparedness Center Asian Disaster Preparedness Center ADPC Activities and Overview Asian Disaster Preparedness Center Historical Overview Historical Overview Established in 1986 at the

651 views • 46 slides
COVID-19 on Children: Faith and Spiritual Nourishment as Key Factors for the Protection and

COVID-19 on Children: Faith and Spiritual Nourishment as Key Factors for the Protection and

ISPCAN COVID-19 WEBINAR SERIES The Emotional and Spiritual Impact of COVID-19 on Children: Faith and Spiritual Nourishment as Key Factors for the Protection and Resilience of Children April 23, 2020 Silvia Mazzarelli, Arigatou

557 views • 21 slides
Casting and Scanning for Cycling Specific Orthotics JOHN HUENINK- CEO BIOMOTO Biomechanical

Casting and Scanning for Cycling Specific Orthotics JOHN HUENINK- CEO BIOMOTO Biomechanical

Casting and Scanning for Cycling Specific Orthotics JOHN HUENINK- CEO BIOMOTO Biomechanical Corrections Utilizing the Sensory Motor System to Stabilize the Foot. MOVEMENT ANALYSIS AND CUSTOM INSOLE MANUFACTURING Syllabus Custom orthosis and

755 views • 17 slides
Ray Casting Based on slides of Thomas Funkhouser 3D Rendering The color of each pixel on

Ray Casting Based on slides of Thomas Funkhouser 3D Rendering The color of each pixel on

Ray Casting Based on slides of Thomas Funkhouser 3D Rendering The color of each pixel on the view plane depends on the radiance emanating from visible surfaces Rays through view plane Simplest method is ray casting View plane Eye

390 views • 16 slides
A a:INTEGER b:INTEGER B C c:INTEGER D d:INTEGER Figure 1: Class Inheritance Hierarchy 1 2

A a:INTEGER b:INTEGER B C c:INTEGER D d:INTEGER Figure 1: Class Inheritance Hierarchy 1 2

EECS3311 Software Design Fall 2018 Static Types, Expectations, Dynamic Types, and Type Casts Chen-Wei Wang Contents 1 Inheritance Hierarchy 1 2 Static Types (at Compile Time) Define Expected Usages 2 3 Dynamic Types (at Runtime) 2 4

198 views • 5 slides
Types in C LAST TODAY NEXT Numbers in C Cs Memory Model C0 virtual machine

Types in C LAST TODAY NEXT Numbers in C Cs Memory Model C0 virtual machine

Types in C LAST TODAY NEXT Numbers in C Cs Memory Model C0 virtual machine Implementation-defined behavior Arrays and pointers Other C types Pointer casting Arrays on the stack Structs on the stack

564 views • 29 slides

More recommend