VTPin: Protecting Legacy Software from VTable Hijacking

No Thumbnail Available
Journal Title
Journal ISSN
Volume Title
Perustieteiden korkeakoulu | Master's thesis
Ask about the availability of the thesis by sending email to the Aalto University Learning Centre oppimiskeskus@aalto.fi
Date
2016-08-24
Department
Major/Subject
Security and Mobile Computing
Mcode
T3011
Degree programme
Master's Degree Programme in Security and Mobile Computing (NordSecMob)
Language
en
Pages
36+4
Series
Abstract
VTable hijacking has lately been promoted to the de facto technique for exploiting C++ applications, and in particular web browsers. VTables can be manipulated without corrupting memory, simply by leveraging use-after-free vulnerabilities. In recent Pwn2Own competitions all major web browsers, as well as Adobe Flash player were compromised with exploits based on use-after-free vulnerabilities and most had VTable hijacking at some intermediate step of the attack. In this thesis, we propose VTPin: a system to protect against VTable hijacking, via use-after-free vulnerabilities, in large C++ binaries that cannot be re-compiled or rewritten. The main idea behind VTPin is to pin all the freed VTable pointers on a safe VTable under VTPin’s control. Specifically, for every occurring object deallocation, free, VTPin quickly identifies if it is associated with a virtual object; in case it is not, VTPin outsources the deallocation to the program’s allocator. Otherwise, VTPin deallocates all space allocated, but preserves and updates the VTable pointer with the address of the safe VTable. Hence, any dereferenced dangling pointer can only invoke a method provided by VTPin’s safe object. Subsequently, all virtual-method calls due to dangling pointers are not simply neutralized, but they can be logged, tracked, and patched. Compared to other solutions that defend against VTable hijacking, VTPin exhibits certain characteristics that make it suitable for practical and instant deployment in production software. First, VTPin protects binaries, directly and transparently, without requiring source compilation or binary rewriting. Second, VTPin is not an allocator replacement, and thus it does not interfere with the allocation strategies and policies of the protected program; it intervenes in the deallocation process only when a virtual object is to be freed for preserving the VTable pointer. Third, VTPin is fast; Mozilla Firefox, protected with VTPin, experiences an average overhead of 1% to 4.1% when running popular browser benchmarks.
Description
Supervisor
Aura, Tuomas
Thesis advisor
Athanasopoulos, Elias
Kemerlis, Vasileios
Keywords
vtable, vulnerabilities, binary, c++, protection, use-after-free
Other note
Citation