vtrust regaining trust on virtual calls
play

VTrust: Regaining Trust on Virtual Calls Chao Zhang , Sco5 A. Carr, - PowerPoint PPT Presentation

Aug 25, 2023 •126 likes •390 views

Title VTrust: Regaining Trust on Virtual Calls Chao Zhang , Sco5 A. Carr, Tongxin Li, Yu Ding, Chengyu Song, Mathias Payer, Dawn Song UC Berkeley, Purdue University, Peking University, Georgia Tech Title Virtual Call Hijacking in real world A

  1. Title VTrust: Regaining Trust on Virtual Calls Chao Zhang , Sco5 A. Carr, Tongxin Li, Yu Ding, Chengyu Song, Mathias Payer, Dawn Song UC Berkeley, Purdue University, Peking University, Georgia Tech

  2. Title Virtual Call Hijacking in real world A common way to exploit: • wri5en in C++ • heavy use of virtual funcMons and virtual calls heap overflow use aEer Virtual Call plenty of vulnerabiliMes: free Hijacking … Google: "80% a5acks exploit use-aEer-free...” format Microso-: string 50% CVEs targeted Winows7 are UAF 2

  3. Title Virtual Calls Class Hierarchy: void test ( B * obj ) { class B{ virtual void foo(); obj à foo(); // virtual call site } } B::foo, D1::foo, or D2::foo? class D1: public B{ class D2: public B{ virtual void foo(); virtual void foo(); int data1; int data2; } } § How to resolve the virtual funcMon of an object at runMme ? • VTable pointers in objects RunMme Memory: Resolve virtual funcMons: writable section read-only section Step 1: read VTable pointer from obj obj1 of Class D1 VTable of Class D1 Step 2: read funcMon pointer from VTable vfptr D1::foo() data1 ... obj2 of Class D2 VTable of Class D2 D2::foo() vfptr ... data2 3

  4. Title Virtual Call Hijacking RunMme Memory: Resolve virtual funcMons: Step 1: read VTable pointer from obj writable section read-only section Step 2: read funcMon pointer from VTable obj1 of Class D1 VTable of Class D1 vfptr D1::foo() data1 ... § A5acks: breaking the integrity of VTable pointers § VTable injecMon a5ack: vfptr points to forged VTables writable section read-only section obj1 of Class D1 VTable of Class D1 vfptr PracAcal and reliable: D1::foo() data1 virtual call hijacking + ROP ... forged VTable ROP() ... 4

  5. Title Virtual Call Hijacking (2) RunMme Memory: Resolve virtual funcMons: Step 1: read VTable pointer from obj writable section read-only section Step 2: read funcMon pointer from VTable obj1 of Class D1 VTable of Class D1 vfptr D1::foo() data1 ... § A5acks: breaking the integrity of VTable pointers § VTable injecMon a5ack: vfptr points to forged VTables § VTable reuse a5ack: vfptr points to exisAng but out-of-context VTables writable section read-only section obj1 of Class D1 VTable of Class D1 COOP aEack [S&P’15] vfptr D1::foo() data1 ... other VTable or data fp() ... 5

  6. Title Outline § MoMvaMon § Related Work § Design § ImplementaMon § EvaluaMon § Conclusion 6

  7. Title Binary Level Defenses § VTint [NDSS’15] § T-VIP [ACSAC’14] writable section read-only? object VTable • enforce read-only vfptr vf() data ... § Pro: • binary-compaMble • could defat popular VTable injecMon a5acks § Con: • false posiMves • cannot defeat VTable reuse a5acks , e.g., COOP 7

  8. Title Source Level Defense: Forward Edge CFI § GCC-VTV [Usenix’14], whitelist-based • compute an incomplete set of legiMmate targets at compile-Ame • merge this set by using iniMalizer funcMons at load Ame • validate runMme target against this set at runAme § Pro: • support incremental building § Con: • heavy runMme operaMon, i.e., hash table lookups 8

  9. Title Source Level Defense: RockJIT § CCS’15, CFI-based • collect type informaAon at compile-Ame • compute equivalence classes of transfer targets at load Ame , based on the collected type informaMon . • update the CFI checks to only allow indirect transfers (including virtual calls) to one equivalence class at load-Ame § Pro: • support incremental building § Con: • heavy load Mme operaMons 9

  10. Title Outline § MoMvaMon § Related Work § Design: • Virtual FuncMon Type Enforcement • VTable Pointer SaniMzaMon § ImplementaMon § EvaluaMon § Conclusion 10

  11. Title Virtual FuncMon Type void test ( B * obj, int arg1, void * arg2) class D: public B { { // virtual call site // virtual funcMons obj à foo(arg1, arg2); virtual void foo(int arg1, void * arg2) ; } } § A virtual funcMon is allowed at a virtual call site if and only if it has: • a matching funcMon name • a matching argument type list • matching qualifiers (constant, volaMle, reference) • a compaMble class 11

  12. Title Virtual FuncMon Type Enforcement // virtual call site: expected type // virtual funcMons definiMons: target type obj à foo(arg1, arg2); virtual void foo(int arg1, void * arg2) ; ASSERT( expected_type == target_type ) obj à foo(arg1, arg2); § How to encode the type informaMon, to enable fast type lookup and comparison? • RTTI - based soluMons are too slow 12

  13. Title Virtual FuncMon Type Enforcement // virtual call site: expected type // virtual funcMons definiMons: target type obj à foo(arg1, arg2); virtual void foo(int arg1, void * arg2) ; ASSERT( expected_type == target_type ) obj à foo(arg1, arg2); ASSERT( expected_signature == target_signature ) obj à foo(arg1, arg2); § Our soluMon: compute a signature for the type signature = hash ( funcName, typeList, qualifiers, classInfo ) § All signatures can be computed staMcally and independently. • support incremental building • don’t need extra link-Mme , load-Mme or runMme support • fast and easy to deploy 13

  14. Title Security Analysis Virtual Func Type Enforcement VTable Injection Target Applications VTable Reuse § No ma5er what VTables are used, target virtual funcMons must have matching signatures. § A5ackers can forge signatures if and only if • target applicaMons have dynamic generated code. 14

  15. Title VTable Pointer SaniMzaMon § SoluMon: limit the target funcMons to staMc code § How? • saniMze VTable pointers, to only allow legiMmate VTables used for virtual funcMon lookup. writable section read-only section obj1 of Class D1 VTable of Class D1 vfptr D1::foo() data1 ... writable section read-only section obj1 of Class D1 Translation Table VTable of Class D1 vt_idx D1::vfptr D1::foo() data1 ... ... 15

  16. Title Outline § MoMvaMon § Related Work § Design § ImplementaMon § EvaluaMon § Conclusion 16

  17. Title Virtual FuncMon Type Enforcement ASSERT( expected_signature == target_signature ) obj à foo(arg1, arg2); signature = hash ( funcName, typeList, qualifiers, classInfo ) § Compute signatures • funcMon name: § destructor funcMons § member funcMon pointers • class info: § top-most primary class’ name § Instrument signatures • hard-coded before virtual call sites • hard-coded before virtual funcMon bodies 17

  18. Title VTable Pointer SaniMzaMon writable section read-only section obj1 of Class D1 Translation Table VTable of Class D1 vt_idx D1::vfptr D1::foo() data1 ... ... § A centralized translaMon table is impracMcal • merge this table at load-Mme • update vt_idx in constructor funcMons § Our soluMon: distributed translaMon table • each library has its own translaMon table writable section read-only section Translation Table Global D1's VTable for lib1 Translation obj1 of Class D1 D1::foo() • constant library D1::vfptr Table ... idx_pair ... translaMon tables. lib1 data1 lib2 Translation Table for lib2 D2's VTable ... • constant idx_pair D2::vfptr D1::foo() ... ... 18

  19. Title Overall Workflow Clang/ LLVM CodeGen LLVM Opt LLVMgold.so Clang++ *.cpp LLVM IR LLVM IR *.cpp *.obj layer 1: layer 2: layer 1: executable/ VTable VFunc Type VTable VFunc Type libraries metadata (metadata) (checks) Enforcement Pointer Enforcement Collector (part 1) Sanitization (part 2) VTLib.cpp VTLib.so ld.gold 19

  20. Title Outline § MoMvaMon § Related Work § Design § ImplementaMon § EvaluaMon § Conclusion 20

  21. Title Performance Overhead § SPEC 2006 • avg (two layers together): 2.2% (~ 0.72% + 1.4%) • worst: 8.0% 6.00%$ 5.00%$ 4.00%$ 3.00%$ TypeEnforce$ 2.00%$ VTableSanCze$ 1.00%$ 0.00%$ $ $ $ $ $ $ $ $ . r p x I d y n c I a e p l m a a n a t l t r e a s p e a e v M l a o d n o a n s x m p . o e o G The 1 st layer defense is much faster than the 2 nd layer, sufficient for programs without dynamic generated code. 21

  22. Title Performance Overhead § Firefox • avg (two layers together): 2.2% (~ 0.4% + 1.8%) • worst: 4.3% 3.50%& 3.00%& 2.50%& 2.00%& 1.50%& TypeEnforce& 1.00%& VTableSaniHze& 0.50%& 0.00%& !0.50%& & & & & & & & e n r k e r . e n t r n e e a i d a k a p r m e B i a t e p c M e r e r s K O t e K n . i o L s e u w e c S a G o e r P B 22

  23. Title ProtecMon Effects § VTable injecMon a5acks § VTable reuse a5acks (few in real world) • BCTF challenge “ zhongguancun” 23

  24. Title Corner cases § Custom virtual funcMon definiMons • e.g., nsXPTCStubBase::StubNN() in Firefox • will cause false posiMves § Custom virtual call sites • e.g., NS_InvokeByIndex() in Firefox • will leave extra a5ack surface § VTrust could idenMfy all these corner cases automaMcally, and provides a precise protecMon. 24

  25. Title Conclusion § VTrust provides two layers of defenses against all virtual call hijacking a5acks. § Virtual funcAon type enforcement introduces a very low performance overhead, able to defeat all this type of a5acks if no dynamic code exists in target applicaMons. § VTable pointer saniAzaAon could help defeat all a5acks even if target applicaMons have dynamic code. § The performance and security evaluaMon show that VTrust has a low performance overhead, and provides a strong protecMon. 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IFRS adoption in Cambodia 8 th Floor, VTRUST Tower, St. 196, Sangkat Veal Vong, Khan 7 Makara,

IFRS adoption in Cambodia 8 th Floor, VTRUST Tower, St. 196, Sangkat Veal Vong, Khan 7 Makara,

KAMPUCHEA INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS AND AUDITORS IFRS adoption in Cambodia 8 th Floor, VTRUST Tower, St.

1.69k views • 11 slides
Oxleas NHS Foundation Trust OXLEAS NHS FOUNATION TRUST VIRTUAL CONSULTATIONS Project Lead

Oxleas NHS Foundation Trust OXLEAS NHS FOUNATION TRUST VIRTUAL CONSULTATIONS Project Lead

Showcase Presentation Oxleas NHS Foundation Trust OXLEAS NHS FOUNATION TRUST VIRTUAL CONSULTATIONS Project Lead Melony James Project Team Members Harpreet Sanghara Jo-Anne Linnane Sue Horbury Anthony Elisak Senior Sponsor Alison

321 views • 6 slides
CPU Scheduling - II System Calls Virtual Machines Tevfik Ko ar University at Buffalo

CPU Scheduling - II System Calls Virtual Machines Tevfik Ko ar University at Buffalo

CSE 421/521 - Operating Systems Roadmap Fall 2011 Multilevel Feedback Queues Estimating CPU bursts Lecture - VI CPU Scheduling - II System Calls Virtual Machines Tevfik Ko ar University at Buffalo September 15 th , 2011

442 views • 5 slides
virtual machine (pt 2) / microkernels 1 last time (1) sandboxing fjlter system calls guest

virtual machine (pt 2) / microkernels 1 last time (1) sandboxing fjlter system calls guest

virtual machine (pt 2) / microkernels 1 last time (1) sandboxing fjlter system calls guest OS running in hypervisor on host OS hypervisor tracks virtual machine state does guest OS think its in kernel mode? does guest OS think

947 views • 71 slides
Effective Virtual Meetings & Presentations Max Masnick, PhD 1 Top 4 ways to make video

Effective Virtual Meetings & Presentations Max Masnick, PhD 1 Top 4 ways to make video

Effective Virtual Meetings & Presentations Max Masnick, PhD 1 Top 4 ways to make video calls better 1. Use wired headphones/earbuds for all calls 2. Turn on your video and ask others to do the same 3. Plug your computer into Ethernet for

536 views • 18 slides
VIRTUAL ARCHITECTURAL PRACTICE - AN ALTERNATE REALITY PRODUCED BY AIA PMKC + AIA TRUST 1.5

VIRTUAL ARCHITECTURAL PRACTICE - AN ALTERNATE REALITY PRODUCED BY AIA PMKC + AIA TRUST 1.5

Peter S. Macrae, AIA SPEAKERS: VIRTUAL PRACTICE FRAMEWORK Charles R. Heuer, Esq, FAIA MANAGING RISK WHEN RUNNING A VIRTUAL PRACTICE Kevin J. Collins, RPLU, Associate AIA CHALLENGES TO PROFESSION AND PRACTICE IN A VIRTUAL PRACTICE Lira Luis,

630 views • 37 slides
Splitting Interfaces Making Trust Between Apps and OS Configurable Trust Model for an

Splitting Interfaces Making Trust Between Apps and OS Configurable Trust Model for an

Splitting Interfaces Making Trust Between Apps and OS Configurable Trust Model for an Application Kernel is seldom exploited directly (eg. malicious system calls) Attacker takes control of kernel through privileged applications

869 views • 33 slides
A Model of Trust Evaluation for A Model of Trust Evaluation for X.509 Certificate Abu Shohel

A Model of Trust Evaluation for A Model of Trust Evaluation for X.509 Certificate Abu Shohel

A Model of Trust Evaluation for A Model of Trust Evaluation for X.509 Certificate Abu Shohel Ahmed Abu Shohel Ahmed NordSecMob, University of Tartu How to identify an anonymous persons in online or virtual world? or virtual world? Whom to

582 views • 19 slides
Regaining the ST(E)AM in STEM Education: Transcending Boundaries to Transform STEM Education

Regaining the ST(E)AM in STEM Education: Transcending Boundaries to Transform STEM Education

Regaining the ST(E)AM in STEM Education: Transcending Boundaries to Transform STEM Education Roni Ellington, PhD Plenary Session Midwest Regional Noyce Connections Conference Friday, October 30, 2015 Omaha, Nebraska Thank You for the

372 views • 34 slides
Findings and Recommendations September 2011 Calls into VDN: 82,850 Calls Answered

Findings and Recommendations September 2011 Calls into VDN: 82,850 Calls Answered

Findings and Recommendations September 2011 Calls into VDN: 82,850 Calls Answered (ACCESS & 211): 32,717 Calls Abandoned: 13,978 (42%) Average Wait Time: 39 m minut nutes Customer Service Feedback: Question 8.

308 views • 20 slides
What We Learned From the Mid-Year Check-In Calls: Successes & Challenges Mid-Year Calls

What We Learned From the Mid-Year Check-In Calls: Successes & Challenges Mid-Year Calls

What We Learned From the Mid-Year Check-In Calls: Successes & Challenges Mid-Year Calls Asked state contact and contractor (if applicable) to be on calls Asked states to fill out work plan in advance Calls took around 1 hr.

396 views • 15 slides
ELDER WORK Regaining the Straying OUR ATTITUDE TOWARD THE STRAYING What terms have been used to

ELDER WORK Regaining the Straying OUR ATTITUDE TOWARD THE STRAYING What terms have been used to

ELDER WORK Regaining the Straying OUR ATTITUDE TOWARD THE STRAYING What terms have been used to describe congregation members who neglect word and sacrament? What kind of attitude do those terms reflect toward those who are neglecting the

389 views • 34 slides
Software Agents in Virtual Organizations: Good Faith and Trust Francisco Andrade, Paulo Novais,

Software Agents in Virtual Organizations: Good Faith and Trust Francisco Andrade, Paulo Novais,

Software Agents in Virtual Organizations: Good Faith and Trust Francisco Andrade, Paulo Novais, Jos Machado and Jos Neves Universidade do Minho - Portugal PROVE 2008 Poznan, Poland September, 9 th Introduction Virtual organizations

384 views • 26 slides
CSE 351: The Hardware/Software Interface Section 4 Procedure calls Procedure calls In x86

CSE 351: The Hardware/Software Interface Section 4 Procedure calls Procedure calls In x86

CSE 351: The Hardware/Software Interface Section 4 Procedure calls Procedure calls In x86 assembly, values are passed to function calls on the stack Perks: Concise, easy to remember Drawbacks: Always requires memory accesses In

496 views • 14 slides
SOUND DEVIRTUALIZATION LLVM DEVMTG18 SOUND DEVIRTUALIZATION WHAT ARE VIRTUAL CALLS

SOUND DEVIRTUALIZATION LLVM DEVMTG18 SOUND DEVIRTUALIZATION WHAT ARE VIRTUAL CALLS

PIOTR PADLEWSKI KRZYSZTOF PSZENICZNY SOUND DEVIRTUALIZATION LLVM DEVMTG18 SOUND DEVIRTUALIZATION WHAT ARE VIRTUAL CALLS Polymorphism in OOP %vtable = load {} %p %vfun = load {} %vtable call {} %vfun(args) LLVM DEVMTG18

537 views • 25 slides
Recursion A process by which a function calls itself repeatedly. Either directly. X

Recursion A process by which a function calls itself repeatedly. Either directly. X

1/28/2016 Recursion A process by which a function calls itself repeatedly. Either directly. X calls X. Or cyclically in a chain. X calls Y, and Y calls X. Used for repetitive computations in which each action is stated in

290 views • 10 slides
Welcome To NIST Open Industrial Digital Ecosystem Summit Co-sponsored by MIMOSA & OAGi

Welcome To NIST Open Industrial Digital Ecosystem Summit Co-sponsored by MIMOSA & OAGi

Welcome To NIST Open Industrial Digital Ecosystem Summit Co-sponsored by MIMOSA & OAGi Emergency Procedures for NCCoE Visitors Evacuation Emergencies What is an Evacuation Emergency? Fires Explosions Earthquakes Indoor

358 views • 15 slides
Experiences from the Implementation of a Structured- Entity-Relationship Modeling Method in a

Experiences from the Implementation of a Structured- Entity-Relationship Modeling Method in a

Experiences from the Implementation of a Structured- Entity-Relationship Modeling Method in a Student Project Thilo Maximilian Glssner, Florian Heumann, Luca Keler, Felix Hrer, Andreas Steffan, Hans-Georg Fill System Development and

343 views • 18 slides
Applying current knowledge to accelerate cancer prevention: what is preventable and how? UICC:

Applying current knowledge to accelerate cancer prevention: what is preventable and how? UICC:

Applying current knowledge to accelerate cancer prevention: what is preventable and how? UICC: World Cancer Congress Montreal Aug 29, 2012 Graham A Colditz, MD DrPH Niess-Gain Professor Department of Surgery Division of Public Health

770 views • 50 slides
sexual immorality, impurity, Personal Purity sensuality [19] idolatry, sorcery [20] Relating to

sexual immorality, impurity, Personal Purity sensuality [19] idolatry, sorcery [20] Relating to

Wo Works of the Flesh sexual immorality, impurity, Personal Purity sensuality [19] idolatry, sorcery [20] Relating to the Lord enmity, strife, jealousy, fits of anger, rivalries, dissensions, Relating to One divisions [20] envy, Another

159 views • 3 slides
Mapping Metaphor with the Historical Thesaurus Wendy Anderson, Ellen Bramwell, Rachael Hamilton

Mapping Metaphor with the Historical Thesaurus Wendy Anderson, Ellen Bramwell, Rachael Hamilton

Mapping Metaphor with the Historical Thesaurus Mapping Metaphor with the Historical Thesaurus Wendy Anderson, Ellen Bramwell, Rachael Hamilton Mapping Metaphor with the Historical Thesaurus Metaphor in literature All the worlds a stage And

498 views • 37 slides
Patients in the Genomic Era Marc Lippman, MD The Sylvester Comprehensive Cancer Center at the

Patients in the Genomic Era Marc Lippman, MD The Sylvester Comprehensive Cancer Center at the

Selecting Therapy for Breast Cancer Patients in the Genomic Era Marc Lippman, MD The Sylvester Comprehensive Cancer Center at the University of Miami PERSONALIZED MEDICINE FOR BREAST CANCER PATIENTS A WORKING DEFINITION: SUFFICIENT

764 views • 62 slides
Genomic Technologies and the New-era of Precision Cancer Medicine Adrian V. Lee, Ph.D. Professor

Genomic Technologies and the New-era of Precision Cancer Medicine Adrian V. Lee, Ph.D. Professor

UPCI and UPMC Cancer Centers Genomic Technologies and the New-era of Precision Cancer Medicine Adrian V. Lee, Ph.D. Professor of Pharmacology and Chemical Biology Professor of Human Genetics Director, Womens Cancer Research Center

505 views • 27 slides
Introduction to the IIIF Presentation API http://iiif.io/api/presentation/2.1/ Simeon Warner

Introduction to the IIIF Presentation API http://iiif.io/api/presentation/2.1/ Simeon Warner

Introduction to the IIIF Presentation API http://iiif.io/api/presentation/2.1/ Simeon Warner https://orcid.org/0000-0002-7970-7855 (Director of IT for Library Linked Data and Repository Architecture, Cornell University Library, USA) SWIB17,

414 views • 18 slides

More recommend