VPS: Excavating High-Level C++ Constructs from Low-Level Binaries to Protect Dynamic Dispatching

by   Andre Pawlowski, et al.

Polymorphism and inheritance make C++ suitable for writing complex software, but significantly increase the attack surface because the implementation relies on virtual function tables (vtables). These vtables contain function pointers that attackers can potentially hijack and in practice, vtable hijacking is one of the most important attack vector for C++ binaries. In this paper, we present VTable Pointer Separation (VPS), a practical binary-level defense against vtable hijacking in C++ applications. Unlike previous binary-level defenses, which rely on unsound static analyses to match classes to virtual callsites, VPS achieves a more accurate protection by restricting virtual callsites to validly created objects. More specifically, VPS ensures that virtual callsites can only use objects created at valid object construction sites, and only if those objects can reach the callsite. Moreover, VPS explicitly prevents false positives (falsely identified virtual callsites) from breaking the binary, an issue existing work does not handle correctly or at all. We evaluate the prototype implementation of VPS on a diverse set of complex, real-world applications (MongoDB, MySQL server, Node.js, SPEC CPU2017/CPU2006), showing that our approach protects on average 97.8 virtual callsites in SPEC CPU2006 and 97.4 benchmarks), with a moderate performance overhead of 11 respectively. Furthermore, our evaluation reveals 86 false negatives in VTV, a popular source-based defense which is part of GCC.


page 1

page 2

page 3

page 4


Devil is Virtual: Reversing Virtual Inheritance in C++ Binaries

Complexities that arise from implementation of object-oriented concepts ...

Comparing Controller With the Hand Gestures Pinch and Grab for Picking Up and Placing Virtual Objects

Grabbing virtual objects is one of the essential tasks for Augmented, Vi...

HODOR: Shrinking Attack Surface on Node.js via System Call Limitation

Node.js provides Node.js applications with system interaction capabiliti...

Machine Learning-based Ransomware Detection Using Low-level Memory Access Patterns Obtained From Live-forensic Hypervisor

Since modern anti-virus software mainly depends on a signature-based sta...

Exploiting vulnerabilities of deep neural networks for privacy protection

Adversarial perturbations can be added to images to protect their conten...

SAILenv: Learning in Virtual Visual Environments Made Simple

Recently, researchers in Machine Learning algorithms, Computer Vision sc...

Please sign up or login with your details

Forgot password? Click here to reset