VTint: Protecting Virtual Function Tables Integrity Chao Zhang (UC - - PowerPoint PPT Presentation

vtint protecting virtual function tables integrity
SMART_READER_LITE
LIVE PREVIEW

VTint: Protecting Virtual Function Tables Integrity Chao Zhang (UC - - PowerPoint PPT Presentation

Jul 01, 2023 121 likes •408 views

VTint: Protecting Virtual Function Tables Integrity Chao Zhang (UC Berkeley) Chengyu Song (Georgia Tech) Kevin Zhijie Chen (UC Berkeley) Zhaofeng Chen (Peking University) Dawn Song (UC Berkeley) VTable for Dynamic Dispatch (C++) void

slide-1
SLIDE 1

VTint: Protecting Virtual Function Tables’ Integrity

Chao Zhang (UC Berkeley) Chengyu Song (Georgia Tech) Kevin Zhijie Chen (UC Berkeley) Zhaofeng Chen (Peking University) Dawn Song (UC Berkeley)

slide-2
SLIDE 2

VTable for Dynamic Dispatch (C++)

void foo(Base2* obj){

  • bjàvg4();

} void main(){ Base2* obj = new Sub(); foo(obj); }

writable section read-only section Sub::vf1 ... Sub::vf10 Sub::vh1 ... Sub::vh10 vfptr base1_a Base1::vf1 ... Base1::vf10 vfptr base1_a vfptr base2_a

Base1 object b1 Sub object s VTable for Base1 VTable for Sub::Base1

sub_a Sub::vg1 ... Sub::vg10

VTable for Sub::Base2

vfptr base2_a

Base2 object b2

Base2::vg1 ... Base2::vg10

VTable for Base2

class Sub: public Base1, Base2{…};

code section ; Function main() push SIZE call malloc() mov ecx, eax call Sub::Sub() ; now ECX points to the Sub object add ecx, 8 ; now ECX points to the Sub::Base2 object call foo() ret ; Function foo() mov eax, [ecx] ; read vfptr of Base2 mov edx, [eax+0x0C] ; get vg4() from vtable call edx ; call Base2::vg4() ret

slide-3
SLIDE 3

VTable Hijacking in real world

+ Vulnerabilities like use-after-free + VTable Injection + ROP gadgets

code section ; Function main() push SIZE call malloc() mov ecx, eax call Sub::Sub() ; now ECX points to the Sub object add ecx, 8 ; now ECX points to the Sub::Base2 object call foo() ret ; Function foo() mov eax, [ecx] ; read vfptr of Base2 mov edx, [eax+0x0C] ; get vg4() from vtable call edx ; call Base2::vg4() ret writable section read-only section Sub::vf1 ... Sub::vf10 Sub::vh1 ... Sub::vh10 Base1::vf1 ... Base1::vf10 vfptr base1_a vfptr base2_a

Sub object s VTable for Base1 VTable for Sub::Base1

sub_a Sub::vg1 ... Sub::vg10

VTable for Sub::Base2

Base2::vg1 ... Base2::vg10

VTable for Base2 gadget ... ... ... ... gadget

fake VTable

  • Pwn2Own 2014 Firefox
  • Pwn2Own 2014 Chrome
  • CVE-2014-1772 IE

new_vfptr new_vfptr

slide-4
SLIDE 4
  • A common way to exploit

use after free format string heap

  • verflow

… VTable Hijacking

VTable Hijacking in real world

Google: "80% attacks exploit use-after-free...” Microsoft: 50% CVEs targeted Winows7 are UAF

  • written in C++
  • BIG Targets in the Cloud
slide-5
SLIDE 5

VTable Hijacking Classification

  • VTable corruption
  • overwrite VTable
  • VTable injection
  • VTable reuse

writable section read-only section Sub::vf1 ... Sub::vf10 Sub::vh1 ... Sub::vh10 Base1::vf1 ... Base1::vf10 vfptr base1_a vfptr base2_a

Sub object s VTable for Base1 VTable for Sub::Base1

sub_a Sub::vg1 ... Sub::vg10

VTable for Sub::Base2

Base2::vg1 ... Base2::vg10

VTable for Base2

shellcode()

shellcode()

slide-6
SLIDE 6

writable section read-only section Sub::vf1 ... Sub::vf10 Sub::vh1 ... Sub::vh10 Base1::vf1 ... Base1::vf10 vfptr base1_a vfptr base2_a

Sub object s VTable for Base1 VTable for Sub::Base1

sub_a Sub::vg1 ... Sub::vg10

VTable for Sub::Base2

Base2::vg1 ... Base2::vg10

VTable for Base2

  • VTable corruption
  • overwrite VTable
  • VTable injection
  • overwrite vfptr
  • point to fake VTable
  • VTable reuse

shellcode() ... ... ... ... shellcode()

fake VTable

new_vfptr

VTable Hijacking Classification

slide-7
SLIDE 7

writable section read-only section Sub::vf1 ... Sub::vf10 Sub::vh1 ... Sub::vh10 Base1::vf1 ... Base1::vf10 vfptr base1_a vfptr base2_a

Sub object s VTable for Base1 VTable for Sub::Base1

sub_a Sub::vg1 ... Sub::vg10

VTable for Sub::Base2

Base2::vg1 ... Base2::vg10

VTable for Base2

  • VTable corruption
  • overwrite VTable
  • VTable injection
  • overwrite vfptr
  • point to fake VTable
  • VTable reuse
  • overwrite vfptr
  • point to existing VTable, data etc.

new_vfptr

VTable Hijacking Classification

slide-8
SLIDE 8

VTint

  • Motivation
  • VTint Design
  • VTint Implementation
  • Evaluation
slide-9
SLIDE 9

Our solution: VTint

  • Goal: VTable Hijacking
  • lightweight
  • binary
  • effective
slide-10
SLIDE 10

Observation

Attack Requirement

VTable Corruption overwrite VTable VTable is writable VTable Injection

  • verwrite vfptr,

point to injected VTable VTable is writable VTable Reuse

  • verwrite vfptr,

point to existing VTable/data VTable-like data, existing VTable

slide-11
SLIDE 11

Observation à à Intuition

Attack Requirement Countermeasure

VTable Corruption overwrite VTable VTable is writable Read-only VTable VTable Injection

  • verwrite vfptr,

point to injected VTable VTable is writable Read-only VTable VTable Reuse

  • verwrite vfptr,

point to existing VTable/data VTable-like data, existing VTable different VTable/data

Need exact TYPE information Light weight source-code solutions like VTGuard

slide-12
SLIDE 12

VTint vs. DEP

  • Similar to DEP
  • lightweight, and can be binary-compatible
  • Different from DEP
  • after hardening, the attack surface is smaller

VTint

VTable Corruption Read-only VTable VTable Injection Read-only VTable VTable Reuse different VTable/data

DEP

Code Corruption Read-only Code Sec Code Injection Read-only Code Sec (writable sections will not be executed) Code Reuse NO

slide-13
SLIDE 13

VTint

  • Motivation
  • VTint Design
  • VTint Implementation
  • Evaluation
slide-14
SLIDE 14

Architecture

  • Binary parsing
  • Disassembling
  • Binary rewriting

PE executable hardened PE VTint VTables, virtual calls parsing PE files recursive disassembling Instrumenting VTables, virtual calls PEParser BitCover VRewriter candidate VTables, function entries

slide-15
SLIDE 15

Binary Parsing

  • PE format
  • relocation table
  • import/export table
  • Output:
  • candidate function entries

§ relocation entries, export entries, EntryPoint

  • candidate VTables

§ addresses of VTables are in the relocation table § entries in VTables are also in the relocation table

PE executable hardened PE VTint VTables, virtual calls parsing PE files recursive disassembling Instrumenting VTables, virtual calls PEParser BitCover VRewriter candidate VTables, function entries

slide-16
SLIDE 16

Disassembling

  • Goal
  • recover CFG

§ find out all functions, instructions

  • recover high-level information

§ constructor functions § real VTables § virtual function calls

  • recursive disassembly
  • starting from candidate function entries
  • targeting normal PE binaries, with relocation table

PE executable hardened PE VTint VTables, virtual calls parsing PE files recursive disassembling Instrumenting VTables, virtual calls PEParser BitCover VRewriter candidate VTables, function entries

slide-17
SLIDE 17

Disassembling (1) Identify Constructor Function

  • Basic Pattern
  • Identification
  • we know candidate vtables

; allocate object memory push SIZE call malloc() mov ecx, eax ; get VTable ptr mov eax, vfptr ; assign VTable to object mov [ecx], eax vtable references vtable assignments

  • bject init
slide-18
SLIDE 18

Disassembling (2) Identify VTables

  • Basic Pattern
  • Identification
  • we know candidate vtables

; assign to objects in constructors mov [ecx], vfptr find vtable assignments

  • VTable size
  • unable to get exact size in binaries
  • we can estimate the maximum size

§ continuous relocation entries § adjacent RTTI, this adjustors, base offsets

slide-19
SLIDE 19

Disassembling (3) Identify Virtual Function Calls

  • Basic Pattern
  • Idenfication
  • we know indirect calls

; get vtable ptr from object mov eax, [ecx+8] ; prepare this ptr for callee add ecx, 8 ; call virtual function call edx this argument indirect calls vfunc read operation ; get virtual func ptr from vtable mov edx, [eax+24] vtable read operation

slide-20
SLIDE 20

Binary Rewriting

  • Security Policy
  • Enforce VTables to be read-only
  • Differentiate VTables from other data
  • Rewriting

PE executable hardened PE VTint VTables, virtual calls parsing PE files recursive disassembling Instrumenting VTables, virtual calls PEParser BitCover VRewriter candidate VTables, function entries

(Read-only page) VTable 1 VTable 2 VTable … VTID ; get vtable ptr from object mov eax, [ecx+8] ; get virtual func ptr from vtable mov edx, [eax+24] ; call virtual function call edx check vtable page is read-only check vtable page has VTID No problem! Info Leakage?

slide-21
SLIDE 21

VTint

  • Motivation
  • VTint Solution
  • VTint Implementation
  • Evaluation
slide-22
SLIDE 22

Static Analysis Results

  • Firefox analysis
  • fast analysis for each module
  • small file size overhead
slide-23
SLIDE 23

Performance Evaluation

  • Firefox
  • Chrome
  • Average performance overhead is less than 2%
slide-24
SLIDE 24

Protection Effect

  • Real World Exploits
slide-25
SLIDE 25

Limitations

  • Binary disassembling
  • High-level information recovery
  • Constructor functions
  • VTables
  • Virtual function calls
  • Reusing existing VTables
  • call existing virtual functions
slide-26
SLIDE 26

Conclusion

  • VTable hijacking is popular and critical
  • Existing solutions are not perfect
  • VTint is a lightweight, binary-compatible and

effective defense against VTable hijacking, similar to DEP

slide-27
SLIDE 27

Thanks!