Top

Published in:

2018 | OriginalPaper | Chapter

CastSan: Efficient Detection of Polymorphic C++ Object Type Confusions with LLVM

Authors : Paul Muntean, Sebastian Wuerl, Jens Grossklags, Claudia Eckert

Published in: Computer Security

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

C++ object type confusion vulnerabilities as the result of illegal object casting have been threatening systems’ security for decades. While there exist several solutions to address this type of vulnerability, none of them are sufficiently practical for adoption in production scenarios. Most competitive and recent solutions require object type tracking for checking polymorphic object casts, and all have prohibitively high runtime overhead. The main source of overhead is the need to track the object type during runtime for both polymorphic and non-polymorphic object casts. In this paper, we present CastSan, a C++ object type confusion detection tool for polymorphic objects only, which scales efficiently to large and complex code bases as well as to many concurrent threads. To considerably reduce the object type cast checking overhead, we employ a new technique based on constructing the whole virtual table hierarchy during program compile time. Since CastSan does not rely on keeping track of the object type during runtime, the overhead is drastically reduced. Our evaluation results show that complex applications run insignificantly slower when our technique is deployed, thus making CastSan a real-world usage candidate. Finally, we envisage that based on our object type confusion detection technique, which relies on ordered virtual tables (vtables), even non-polymorphic object casts could be precisely handled by constructing auxiliary non-polymorphic function table hierarchies for static classes as well.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

next chapter On Leveraging Coding Habits for Effective Binary Authorship Attribution

2016 Working Draft, Standard for Programming Language C++ N4618. https://goo.gl/PPJ5QC

Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control flow integrity. In: CCS (2005)

Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control flow integrity principles, implementations, and applications. In: TISSEC (2009)

Balls Browser Benchmark (2017). http://bubblemark.com/

Bounov, D., Kici, R.G., Lerner, S.: Protecting C++ dynamic dispatch through VTable interleaving. In: NDSS (2016)

Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to RISC. In: CCS (2008)

Clang. Clang 3.9 Documentation - Control Flow Integrity. https://goo.gl/gnmoHU

Clang. Clang 5 Documentation - Control Flow Integrity (2017). https://goo.gl/bW4DyS

Clang-CFI Cast Checker Metadata. https://goo.gl/JkGDjL

10.

Crane, S., et al.: It’s a TRaP: table randomization and protection against function-reuse attacks. In: CCS (2015)

11.

CVE-2016-1612: Bug Description and reward (2016). https://goo.gl/9SxjEA

12.

CVE-2017-3106: Object Type Confusion in Adobe F. Player v. 26.0.0.137 (2017). https://goo.gl/gakD25

13.

Dewey, D., Giffin, J.: Static detection of C++ VTable escape vulnerabilities in binary code. In: NDSS (2012)

14.

Dromaeo Browser Benchmark (2017). http://dromaeo.com/?v8

15.

Google. Undefined Behavior Sanitizer (2017). https://goo.gl/ELrNKj

16.

Google. The Chromium Projects, Chromium (2017). https://goo.gl/uE486n

17.

Haller, I., Goktas, E., Athanasopoulos, E., Portokalidis, G., Bos, H.: ShrinkWrap: VTable protection without loose ends. In: ACSAC (2015)

18.

Haller, I., Jeon, Y., Peng, H., Payer, M., Giuffrida, C.: TypeSan: practical type confusion detection. In: CCS (2016)

19.

Jeon, Y., Biswas, P., Carr, S., Lee, B., Payer, M.: HexType: efficient detection of type confusion errors for C++. In: CCS (2017)

20.

JetStream Browser Benchmark (2017). http://browserbench.org/JetStream/

21.

Kraken JavaScript Benchmark (2017). https://krakenbenchmark.mozilla.org/

22.

Lee, B., Song, C., Kim, T., Lee, W.: Type casting verification: stopping an emerging attack vector. In: USENIX Security (2015)

23.

LLVM. The LLVM Gold Plugin (2017). https://goo.gl/UjFxih

24.

LLVM. LLVM Team, The LLVM compiler infrastructure project. http://llvm.org/

25.

LLVM. LLVM link time optimization: design and implementation. https://goo.gl/r3RH2U

26.

Microsoft. Changes to Functionality in Microsoft Windows XP SP 2. https://goo.gl/928ihY

27.

Octane Browser Benchmark (2017). https://chromium.github.io/octane/

28.

PaX Team: Address Space Layout Randomization (2001). https://goo.gl/Sab9YE

29.

Prakash, A., Hu, X., Yin, H.: Strict protection for virtual function calls in COTS C++ binaries. In: NDSS (2015)

30.

Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., Holz, T.: Counterfeit object-oriented programming. In: S&P (2015)

31.

Standard Performance Evaluation Corporation. SPEC CPU 2006 (2017). https://goo.gl/NtmYy8

32.

SunSpider 1.0.2 JavaScript Benchmark (2017). https://goo.gl/qk9uqg

33.

Zhang, C., et al.: Practical control flow integrity & randomization for binary executables. In: S&P (2013)

34.

Zhao, M., Grossklags, J., Liu, P.: An empirical study of web vulnerability discovery ecosystems. In: CCS (2015)

Title: CastSan: Efficient Detection of Polymorphic C++ Object Type Confusions with LLVM
Authors: Paul Muntean
Sebastian Wuerl
Jens Grossklags
Claudia Eckert
Publisher: Springer International Publishing
Book: Computer Security
Print ISBN: 978-3-319-99072-9

Electronic ISBN: 978-3-319-99073-6

Copyright Year: 2018
DOI: https://doi.org/10.1007/978-3-319-99073-6_1

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner