Protecting Virtual Calls in Binary Programs: An Empirical Study from COTS Applications To CPS Applications
Chao Zhang

Citation
Chao Zhang. "Protecting Virtual Calls in Binary Programs: An Empirical Study from COTS Applications To CPS Applications". Talk or presentation, 28, May, 2015.

Abstract
One of the most popular exploit targets in modern COTS applications is virtual table pointers (vfptr, widely used in C++ programs), which point to virtual function tables (vtable) consisting of virtual function pointers. Attackers can exploit vulnerabilities, such as use-after-free and heap overflow, to overwrite the vtable or vfptr, causing further virtual function calls to be hijacked (vtable hijacking). In this talk we (1) present a lightweight defense solution VTint to protect binary executables against vtable hijacking attacks. It uses binary rewriting to instrument security checks before virtual function dispatches to validate vtables’ integrity. Experiments show that it only introduces a low performance overhead (less than 2%), and it can effectively protect real-world vtable hijacking attacks. We also (2) investigate some CPS applications and development frameworks, and uncover the potential attack surface.

Electronic downloads

Internal. This publication has been marked by the author for FORCES-only distribution, so electronic downloads are not available without logging in.

Citation formats

• HTML

  Chao Zhang. <a
  href="http://www.cps-forces.org/pubs/71.html"
  ><i>Protecting Virtual Calls in Binary Programs: An
  Empirical Study from COTS Applications To CPS
  Applications</i></a>, Talk or presentation,  28,
  May, 2015.

• Plain text

  Chao Zhang. "Protecting Virtual Calls in Binary
  Programs: An Empirical Study from COTS Applications To CPS
  Applications". Talk or presentation,  28, May, 2015.

• BibTeX

  @presentation{Zhang15_ProtectingVirtualCallsInBinaryProgramsEmpiricalStudy,
      author = {Chao Zhang},
      title = {Protecting Virtual Calls in Binary Programs: An
                Empirical Study from COTS Applications To CPS
                Applications},
      day = {28},
      month = {May},
      year = {2015},
      abstract = {One of the most popular exploit targets in modern
                COTS applications is virtual table pointers
                (vfptr, widely used in C++ programs), which point
                to virtual function tables (vtable) consisting of
                virtual function pointers. Attackers can exploit
                vulnerabilities, such as use-after-free and heap
                overflow, to overwrite the vtable or vfptr,
                causing further virtual function calls to be
                hijacked (vtable hijacking). In this talk we (1)
                present a lightweight defense solution VTint to
                protect binary executables against vtable
                hijacking attacks. It uses binary rewriting to
                instrument security checks before virtual function
                dispatches to validate vtables’ integrity.
                Experiments show that it only introduces a low
                performance overhead (less than 2%), and it can
                effectively protect real-world vtable hijacking
                attacks. We also (2) investigate some CPS
                applications and development frameworks, and
                uncover the potential attack surface.},
      URL = {http://cps-forces.org/pubs/71.html}
  }
  

Posted by Carolyn Winter on 10 Jun 2015.
Groups: forces
For additional information, see the Publications FAQ or contact webmaster at cps-forces org.