VTint: Protecting Virtual Function Tables’ Integrity Chao Zhang (UC Berkeley) Chengyu Song (Georgia Tech) Kevin Zhijie Chen (UC Berkeley) Zhaofeng Chen (Peking University) Dawn Song (UC Berkeley) VTable for Dynamic Dispatch (C++) void foo(Base2* obj){ objàvg4(); } class Sub: public Base1, Base2{…}; writable section read-only section Base1 object b1 VTable for Base1 vfptr Base1::vf1 base1_a ... VTable for Base2 Base2 object b2 Base2::vg1 vfptr ... base2_a Base2::vg10 Base1::vf10 VTable for Sub::Base1 Sub object s Sub::vf1 vfptr ... base1_a VTable for Sub::Base2 Sub::vf10 vfptr Sub::vg1 Sub::vh1 base2_a ... ... sub_a Sub::vg10 Sub::vh10 void main(){ Base2* obj = new Sub(); foo(obj); } code section ; Function main() push SIZE call malloc() mov ecx, eax call Sub::Sub() ; now ECX points to the Sub object add ecx, 8 ; now ECX points to the Sub::Base2 object call foo() ret ; Function foo() mov eax, [ecx] ; read vfptr of Base2 mov edx, [eax+0x0C] ; get vg4() from vtable call edx ; call Base2::vg4() ret VTable Hijacking in real world + Vulnerabilities like use-after-free + VTable Injection + ROP gadgets writable section • Pwn2Own 2014 Firefox • Pwn2Own 2014 Chrome • CVE-2014-1772 IE read-only section fake VTable VTable for Base1 gadget Base1::vf1 ... ... ... VTable for Base2 ... Base2::vg1 ... ... gadget Base2::vg10 Base1::vf10 VTable for Sub::Base1 Sub object s Sub::vf1 vfptr new_vfptr ... base1_a VTable for Sub::Base2 Sub::vf10 vfptr new_vfptr Sub::vg1 Sub::vh1 base2_a ... ... sub_a Sub::vg10 Sub::vh10 code section ; Function main() push SIZE call malloc() mov ecx, eax call Sub::Sub() ; now ECX points to the Sub object add ecx, 8 ; now ECX points to the Sub::Base2 object call foo() ret ; Function foo() mov eax, [ecx] ; read vfptr of Base2 mov edx, [eax+0x0C] ; get vg4() from vtable call edx ; call Base2::vg4() ret VTable Hijacking in real world • A common way to exploit heap overflow use after free Google: "80% attacks exploit use-after-free...” Microsoft: 50% CVEs targeted Winows7 are UAF VTable Hijacking … format string • written in C++ • BIG Targets in the Cloud VTable Hijacking Classification • VTable corruption writable section read-only section VTable for Base1 Base1::vf1 o overwrite VTable ... VTable for Base2 Base1::vf10 Base2::vg1 ... • VTable injection Base2::vg10 VTable for Sub::Base1 Sub object s Sub::vf1 shellcode() vfptr • VTable reuse ... base1_a VTable for Sub::Base2 Sub::vf10 vfptr Sub::vg1 Sub::vh1 base2_a ... ... sub_a Sub::vg10 Sub::vh10 shellcode() … VTable Hijacking Classification • VTable corruption o overwrite VTable • VTable injection o overwrite vfptr o point to fake VTable • VTable reuse writable section read-only section fake VTable VTable for Base1 shellcode() Base1::vf1 ... ... ... VTable for Base2 ... Base2::vg1 ... ... shellcode() Base2::vg10 Base1::vf10 VTable for Sub::Base1 Sub object s Sub::vf1 vfptr new_vfptr ... base1_a VTable for Sub::Base2 Sub::vf10 vfptr Sub::vg1 Sub::vh1 base2_a ... ... sub_a Sub::vg10 Sub::vh10 VTable Hijacking Classification • VTable corruption writable section read-only section VTable for Base1 Base1::vf1 o overwrite VTable ... VTable for Base2 Base1::vf10 Base2::vg1 ... • VTable injection o overwrite vfptr o point to fake VTable Base2::vg10 VTable for Sub::Base1 Sub object s Sub::vf1 vfptr new_vfptr ... base1_a VTable for Sub::Base2 Sub::vf10 vfptr Sub::vg1 Sub::vh1 base2_a ... ... sub_a Sub::vg10 Sub::vh10 • VTable reuse o overwrite vfptr o point to existing VTable, data etc. VTint • • • • Motivation VTint Design VTint Implementation Evaluation Our solution: VTint • Goal: VTable Hijacking o lightweight o binary o effective Observation Attack Requirement VTable Corruption overwrite VTable VTable is writable VTable Injection overwrite vfptr, point to injected VTable VTable is writable VTable Reuse overwrite vfptr, point to existing VTable/data VTable-like data, existing VTable Observation à Intuition Attack Requirement Countermeasure VTable Corruption overwrite VTable VTable is writable Read-only VTable VTable Injection overwrite vfptr, point to injected VTable VTable is writable Read-only VTable VTable Reuse overwrite vfptr, point to existing VTable/data VTable-like data, existing VTable different VTable/data Need exact TYPE information Light weight source-code solutions like VTGuard VTint vs. DEP VTint DEP VTable Corruption Read-only VTable Code Corruption Read-only Code Sec VTable Injection Read-only VTable Code Injection Read-only Code Sec (writable sections will not be executed) VTable Reuse different VTable/data Code Reuse NO • Similar to DEP o lightweight, and can be binary-compatible • Different from DEP o after hardening, the attack surface is smaller VTint • • • • Motivation VTint Design VTint Implementation Evaluation Architecture VTint parsing PE files PE executable PEParser candidate VTables, function entries recursive disassembling BitCover Instrumenting VTables, virtual calls VRewriter VTables, virtual calls hardened PE • Binary parsing • Disassembling • Binary rewriting VTint parsing PE files Binary Parsing • PE format o relocation table o import/export table • Output: PE executable PEParser candidate VTables, function entries recursive disassembling BitCover VTables, virtual calls Instrumenting VTables, virtual calls VRewriter o candidate function entries § relocation entries, export entries, EntryPoint o candidate VTables § addresses of VTables are in the relocation table § entries in VTables are also in the relocation table hardened PE VTint parsing PE files Disassembling • Goal o recover CFG § find out all functions, instructions o recover high-level information § constructor functions § real VTables § virtual function calls PE executable PEParser candidate VTables, function entries recursive disassembling BitCover Instrumenting VTables, virtual calls VRewriter • recursive disassembly o starting from candidate function entries o targeting normal PE binaries, with relocation table VTables, virtual calls hardened PE Disassembling (1) Identify Constructor Function • Basic Pattern ; allocate object memory push SIZE call malloc() mov ecx, eax • Identification o we know candidate vtables object init ; get VTable ptr mov eax, vfptr vtable references ; assign VTable to object mov [ecx], eax vtable assignments Disassembling (2) Identify VTables • Basic Pattern • Identification o we know candidate vtables ; assign to objects in constructors mov [ecx], vfptr find vtable assignments • VTable size o unable to get exact size in binaries o we can estimate the maximum size § continuous relocation entries § adjacent RTTI, this adjustors, base offsets Disassembling (3) Identify Virtual Function Calls • Basic Pattern • Idenfication o we know indirect calls ; get vtable ptr from object mov eax, [ecx+8] ; get virtual func ptr from vtable mov edx, [eax+24] ; prepare this ptr for callee add ecx, 8 ; call virtual function call edx vtable read operation vfunc read operation this argument indirect calls VTint parsing PE files Binary Rewriting • Security Policy PEParser candidate VTables, function entries recursive disassembling o Enforce VTables to be read-only o Differentiate VTables from other data BitCover Instrumenting VTables, virtual calls • Rewriting (Read-only page) VTID VTable 2 VTable … VTables, virtual calls hardened PE VRewriter ; get vtable ptr from object mov eax, [ecx+8] check vtable page has VTID VTable 1 PE executable Info Leakage? No problem! check vtable page is read-only ; get virtual func ptr from vtable mov edx, [eax+24] ; call virtual function call edx VTint • • • • Motivation VTint Solution VTint Implementation Evaluation Static Analysis Results • Firefox analysis o fast analysis for each module o small file size overhead Performance Evaluation • Firefox • Chrome • Average performance overhead is less than 2% Protection Effect • Real World Exploits Limitations • Binary disassembling • High-level information recovery o Constructor functions o VTables o Virtual function calls • Reusing existing VTables o call existing virtual functions Conclusion • VTable hijacking is popular and critical • Existing solutions are not perfect • VTint is a lightweight, binary-compatible and effective defense against VTable hijacking, similar to DEP Thanks!
© Copyright 2024